Operating System:

[SUSE]

Published:

27 November 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4473
 SUSE-SU-2019:3068-1 Security update for suse-openstack-cloud dependencies
                             27 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           suse-openstack-cloud
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-18874 CVE-2019-17134 

Reference:         ESB-2019.4367
                   ESB-2019.4167
                   ESB-2019.3801

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2019/suse-su-20193068-1.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for ardana-db, ardana-keystone,
ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui,
openstack-barbican, openstack-heat-templates, openstack-keystone,
openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas,
openstack-nova, openstack-octavia, openstack-sahara, python-psutil,
release-not

______________________________________________________________________________

Announcement ID:   SUSE-SU-2019:3068-1
Rating:            moderate
References:        #1153304 #1155942 #1156525
Cross-References:  CVE-2019-17134 CVE-2019-18874
Affected Products:
                   SUSE OpenStack Cloud Crowbar 9
                   SUSE OpenStack Cloud 9
______________________________________________________________________________

es-suse-openstack-cloud

An update that solves two vulnerabilities and has one errata is now available.

Description:

This update for ardana-db, ardana-keystone, ardana-neutron, ardana-nova,
crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican,
openstack-heat-templates, openstack-keystone, openstack-neutron,
openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova,
openstack-octavia, openstack-sahara, python-psutil,
release-notes-suse-openstack-cloud fixes the following issues:
Security fix for openstack-octavia:

  o CVE-2019-17134: Fixed an issue where Octavia Amphora-Agent not requiring
    Client-Certificate (bsc#1153304).


Security fix for python-psutil:

  o CVE-2019-18874: Fixed a double-free vulnerability occured during converting
    system data into a Python object (bsc#1155089).

  o Update to version 9.0+git.1572311426.a6dc2fd: * Align Crowbar and Ardana
    MariaDB configs (SOC-10094)


  o Update to version 9.0+git.1573069087.15ffd1c: * enable debug and
    insecure_debug on demand (SOC-10934)


  o Update to version 9.0+git.1572019823.6650494: * Correctly setup
    ardana_notify_... fact (SOC-10902)


  o Update to version 9.0+git.1572618171.4460843: * Update gerrit FQDN in
    .gitreview (SOC-9140)


  o Update to version 6.0+git.1573825081.b1caf60f1: * Update the testsuite for
    new upgrade method (SOC-10761) * upgrade: cold start nova before live
    migration (SOC-10761)


  o Update to version 6.0+git.1573131992.3c660b413: * [upgrade] Call
    finalize_nodes_upgrade at the very end (bsc#1155942)


  o Update to version 6.0+git.1573051151.3495e0e94: * Allow enabling
    bpdu-forwarding on OVS bridges (SOC-9172)

  o Update to version 6.0+git.1573754820.dd036ef77: * neutron: use octavia-api
    admin VIP URI for lbaasv2 (SOC-10906) * octavia: handle certificate
    ownership in barclamp (SOC-10906) * octavia: add SSL support to octavia-api
    (SOC-10906)


  o Update to version 6.0+git.1573174019.9965ae9b8: * designate: change default
    configuration (SOC-10899)


  o Update to version 6.0+git.1572855359.8efafea01: * Make sure the input file
    with ssh key exists (SOC-10133)


  o Update to version 6.0+git.1572636244.e12406629: * Change order of Octavia
    to 102 (SOC-10289)


  o Update to version 6.0+git.1572470261.49c0affe1: * designate: move keystone
    resource lookup to convergence (SOC-10887)


  o Update to version 1.3.0+git.1572871359.50fc6087: * Add title for XEN
    compute nodes precheck (SOC-10495)


  o Update to version barbican-7.0.1.dev21: * Fix duplicate paths in secret
    hrefs * Fix the bug of pep8 and building api-guide * OpenDev Migration
    Patch


  o Update to version barbican-7.0.1.dev21: * Fix duplicate paths in secret
    hrefs * Fix the bug of pep8 and building api-guide * OpenDev Migration
    Patch
  o remove 0001-Fix-duplicate-paths-in-secret-hrefs.patch as it had landed
    upstream


  o Replace openstack.org git:// URLs with https://


  o Update to version keystone-14.1.1.dev28: * Allows to use application
    credentials through group membership


  o Update to version keystone-14.1.1.dev28: * Allows to use application
    credentials through group membership


  o Update to version neutron-13.0.6.dev8: * Retry creating iptables managers
    and adding metering rules


  o Update to version neutron-13.0.6.dev6: * Increase timeout when waiting for
    dnsmasq enablement


  o Update to version neutron-13.0.6.dev4: * Log OVS firewall conjunction
    creation


  o Update to version neutron-13.0.6.dev8: * Retry creating iptables managers
    and adding metering rules


  o Update to version neutron-13.0.6.dev6: * Increase timeout when waiting for
    dnsmasq enablement


  o Update to version neutron-13.0.6.dev4: * Log OVS firewall conjunction
    creation


  o Update to version group-based-policy-5.0.1.dev476: * Provide a control knob
    to use the internal EP interface * Send port notifications when host\_route
    is getting updated


  o Update to version group-based-policy-5.0.1.dev473: * Fix pep8 failures seen
    on submitted patches


  o Update to version neutron-lbaas-13.0.1.dev16: * "lbaas delete l7 rule"
    Parameter Passing Error


  o Update to version neutron-lbaas-13.0.1.dev16: * "lbaas delete l7 rule"
    Parameter Passing Error


  o Update to version nova-18.2.4.dev22: * Revert "openstack server create" to
    "nova boot" in nova docs * doc: fix and clarify --block-device usage in
    user docs


  o Update to version nova-18.2.4.dev20: * Avoid error 500 on shelve task\
    _state race


  o Update to version nova-18.2.4.dev19: * libvirt: Ignore volume exceptions
    during post\_live\_migration


  o Update to version nova-18.2.4.dev22: * Revert "openstack server create" to
    "nova boot" in nova docs * doc: fix and clarify --block-device usage in
    user docs


  o Update to version nova-18.2.4.dev20: * Avoid error 500 on shelve task\
    _state race


  o Update to version nova-18.2.4.dev19: * libvirt: Ignore volume exceptions
    during post\_live\_migration


  o Update to version octavia-3.2.1.dev3: * Improve the error message for bad
    pkcs12 bundles


  o Update to version octavia-3.2.1.dev2: * ipvsadm '--exact' arg to ensure
    outputs are ints


  o Update to version sahara-9.0.2.dev14: * Fixing image creation * Check
    MariaDB installation


  o Update to version sahara-9.0.2.dev14: * Fixing image creation * Check
    MariaDB installation


  o Update to version 9.20191025: * support OpenID Connect (SOC-10510)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE OpenStack Cloud Crowbar 9:
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2019-3068=1
  o SUSE OpenStack Cloud 9:
    zypper in -t patch SUSE-OpenStack-Cloud-9-2019-3068=1

Package List:

  o SUSE OpenStack Cloud Crowbar 9 (x86_64):
       crowbar-core-6.0+git.1573825081.b1caf60f1-3.16.1
       crowbar-core-branding-upstream-6.0+git.1573825081.b1caf60f1-3.16.1
       python-psutil-5.4.6-3.3.1
       python-psutil-debuginfo-5.4.6-3.3.1
       python-psutil-debugsource-5.4.6-3.3.1
  o SUSE OpenStack Cloud Crowbar 9 (noarch):
       crowbar-openstack-6.0+git.1573754820.dd036ef77-3.16.1
       crowbar-ui-1.3.0+git.1572871359.50fc6087-14.1
       openstack-barbican-7.0.1~dev21-3.3.1
       openstack-barbican-api-7.0.1~dev21-3.3.1
       openstack-barbican-keystone-listener-7.0.1~dev21-3.3.1
       openstack-barbican-retry-7.0.1~dev21-3.3.1
       openstack-barbican-worker-7.0.1~dev21-3.3.1
       openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1
       openstack-keystone-14.1.1~dev28-3.16.1
       openstack-neutron-13.0.6~dev8-3.16.2
       openstack-neutron-dhcp-agent-13.0.6~dev8-3.16.2
       openstack-neutron-gbp-5.0.1~dev476-3.13.1
       openstack-neutron-ha-tool-13.0.6~dev8-3.16.2
       openstack-neutron-l3-agent-13.0.6~dev8-3.16.2
       openstack-neutron-lbaas-13.0.1~dev16-3.13.1
       openstack-neutron-lbaas-agent-13.0.1~dev16-3.13.1
       openstack-neutron-linuxbridge-agent-13.0.6~dev8-3.16.2
       openstack-neutron-macvtap-agent-13.0.6~dev8-3.16.2
       openstack-neutron-metadata-agent-13.0.6~dev8-3.16.2
       openstack-neutron-metering-agent-13.0.6~dev8-3.16.2
       openstack-neutron-openvswitch-agent-13.0.6~dev8-3.16.2
       openstack-neutron-server-13.0.6~dev8-3.16.2
       openstack-nova-18.2.4~dev22-3.16.2
       openstack-nova-api-18.2.4~dev22-3.16.2
       openstack-nova-cells-18.2.4~dev22-3.16.2
       openstack-nova-compute-18.2.4~dev22-3.16.2
       openstack-nova-conductor-18.2.4~dev22-3.16.2
       openstack-nova-console-18.2.4~dev22-3.16.2
       openstack-nova-novncproxy-18.2.4~dev22-3.16.2
       openstack-nova-placement-api-18.2.4~dev22-3.16.2
       openstack-nova-scheduler-18.2.4~dev22-3.16.2
       openstack-nova-serialproxy-18.2.4~dev22-3.16.2
       openstack-nova-vncproxy-18.2.4~dev22-3.16.2
       openstack-octavia-3.2.1~dev3-3.16.1
       openstack-octavia-amphora-agent-3.2.1~dev3-3.16.1
       openstack-octavia-api-3.2.1~dev3-3.16.1
       openstack-octavia-health-manager-3.2.1~dev3-3.16.1
       openstack-octavia-housekeeping-3.2.1~dev3-3.16.1
       openstack-octavia-worker-3.2.1~dev3-3.16.1
       openstack-sahara-9.0.2~dev14-3.6.1
       openstack-sahara-api-9.0.2~dev14-3.6.1
       openstack-sahara-engine-9.0.2~dev14-3.6.1
       python-barbican-7.0.1~dev21-3.3.1
       python-keystone-14.1.1~dev28-3.16.1
       python-neutron-13.0.6~dev8-3.16.2
       python-neutron-gbp-5.0.1~dev476-3.13.1
       python-neutron-lbaas-13.0.1~dev16-3.13.1
       python-nova-18.2.4~dev22-3.16.2
       python-octavia-3.2.1~dev3-3.16.1
       python-sahara-9.0.2~dev14-3.6.1
       release-notes-suse-openstack-cloud-9.20191025-3.15.1
  o SUSE OpenStack Cloud 9 (x86_64):
       python-psutil-5.4.6-3.3.1
       python-psutil-debuginfo-5.4.6-3.3.1
       python-psutil-debugsource-5.4.6-3.3.1
  o SUSE OpenStack Cloud 9 (noarch):
       ardana-db-9.0+git.1572311426.a6dc2fd-3.13.1
       ardana-keystone-9.0+git.1573069087.15ffd1c-3.13.1
       ardana-neutron-9.0+git.1572019823.6650494-3.16.1
       ardana-nova-9.0+git.1572618171.4460843-3.13.1
       openstack-barbican-7.0.1~dev21-3.3.1
       openstack-barbican-api-7.0.1~dev21-3.3.1
       openstack-barbican-keystone-listener-7.0.1~dev21-3.3.1
       openstack-barbican-retry-7.0.1~dev21-3.3.1
       openstack-barbican-worker-7.0.1~dev21-3.3.1
       openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1
       openstack-keystone-14.1.1~dev28-3.16.1
       openstack-neutron-13.0.6~dev8-3.16.2
       openstack-neutron-dhcp-agent-13.0.6~dev8-3.16.2
       openstack-neutron-gbp-5.0.1~dev476-3.13.1
       openstack-neutron-ha-tool-13.0.6~dev8-3.16.2
       openstack-neutron-l3-agent-13.0.6~dev8-3.16.2
       openstack-neutron-lbaas-13.0.1~dev16-3.13.1
       openstack-neutron-lbaas-agent-13.0.1~dev16-3.13.1
       openstack-neutron-linuxbridge-agent-13.0.6~dev8-3.16.2
       openstack-neutron-macvtap-agent-13.0.6~dev8-3.16.2
       openstack-neutron-metadata-agent-13.0.6~dev8-3.16.2
       openstack-neutron-metering-agent-13.0.6~dev8-3.16.2
       openstack-neutron-openvswitch-agent-13.0.6~dev8-3.16.2
       openstack-neutron-server-13.0.6~dev8-3.16.2
       openstack-nova-18.2.4~dev22-3.16.2
       openstack-nova-api-18.2.4~dev22-3.16.2
       openstack-nova-cells-18.2.4~dev22-3.16.2
       openstack-nova-compute-18.2.4~dev22-3.16.2
       openstack-nova-conductor-18.2.4~dev22-3.16.2
       openstack-nova-console-18.2.4~dev22-3.16.2
       openstack-nova-novncproxy-18.2.4~dev22-3.16.2
       openstack-nova-placement-api-18.2.4~dev22-3.16.2
       openstack-nova-scheduler-18.2.4~dev22-3.16.2
       openstack-nova-serialproxy-18.2.4~dev22-3.16.2
       openstack-nova-vncproxy-18.2.4~dev22-3.16.2
       openstack-octavia-3.2.1~dev3-3.16.1
       openstack-octavia-amphora-agent-3.2.1~dev3-3.16.1
       openstack-octavia-api-3.2.1~dev3-3.16.1
       openstack-octavia-health-manager-3.2.1~dev3-3.16.1
       openstack-octavia-housekeeping-3.2.1~dev3-3.16.1
       openstack-octavia-worker-3.2.1~dev3-3.16.1
       openstack-sahara-9.0.2~dev14-3.6.1
       openstack-sahara-api-9.0.2~dev14-3.6.1
       openstack-sahara-engine-9.0.2~dev14-3.6.1
       python-barbican-7.0.1~dev21-3.3.1
       python-keystone-14.1.1~dev28-3.16.1
       python-neutron-13.0.6~dev8-3.16.2
       python-neutron-gbp-5.0.1~dev476-3.13.1
       python-neutron-lbaas-13.0.1~dev16-3.13.1
       python-nova-18.2.4~dev22-3.16.2
       python-octavia-3.2.1~dev3-3.16.1
       python-sahara-9.0.2~dev14-3.6.1
       release-notes-suse-openstack-cloud-9.20191025-3.15.1
       venv-openstack-barbican-x86_64-7.0.1~dev21-3.13.1
       venv-openstack-cinder-x86_64-13.0.8~dev8-3.13.1
       venv-openstack-designate-x86_64-7.0.1~dev22-3.13.1
       venv-openstack-heat-x86_64-11.0.3~dev23-3.13.1
       venv-openstack-keystone-x86_64-14.1.1~dev28-3.13.1
       venv-openstack-magnum-x86_64-7.1.1~dev28-4.13.1
       venv-openstack-manila-x86_64-7.3.1~dev15-3.13.1
       venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.13.1
       venv-openstack-neutron-x86_64-13.0.6~dev8-6.13.1
       venv-openstack-nova-x86_64-18.2.4~dev22-3.13.1
       venv-openstack-octavia-x86_64-3.2.1~dev3-4.13.1
       venv-openstack-sahara-x86_64-9.0.2~dev14-3.13.1


References:

  o https://www.suse.com/security/cve/CVE-2019-17134.html
  o https://www.suse.com/security/cve/CVE-2019-18874.html
  o https://bugzilla.suse.com/1153304
  o https://bugzilla.suse.com/1155942
  o https://bugzilla.suse.com/1156525

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXd3QMmaOgq3Tt24GAQia6RAA04yE3ZDNUoVt3MjA4hrxkgVlQWRgKk6k
7tJrxe3i5H/BShAbeVZ8F/Avqg6l6fNG3E6CsjF16AS7eVVRnURq38/y4sdgPAUi
1Uvj4uM4WnZVzpMs7KmawO7KyhQf4tZqOAI4XNklPltP/Z7TIoP3m7Uvo/g8498M
UdcHSFN0qUBgytX7RmvPHyMzfyc+jizZqB1RBD3HG1LUuUVHjCVd2Rnhgn4M3Sl1
DSnwIZXUke3xQxK9Y8Kffz5kGQCPxGGAUdyzdHeLAm+intN9o9rGYWbQlPGcHXPv
vegwcVATXQUkL4iRpvLLAqNZGYdoaJrTptoRwfXMBXecYLNJHWGENRFxTXEnvpme
Td4OSQFERNQRoQhjdgxX6Vc/zWovOvbGI5ehZMX84YJcEPXL9Vrr++lLYAUF1U0o
X7kUzJDBf697ipbItnY7Cx3OPk+j746FLx4HLVSPqPSBpib3B5ZnNXLNQ6K4yAMB
wFCmbhHNU5ZDOwuGg1Y+jJQ/LI7e+Tsscvym5yktjULa8+nWhhwUKEToE8rzx0cJ
sB3M7AHz1DdYkHqTxp7RiHgONFk9cmxVyl1TR9iw2gPV3itcqVjeF80mTKuuGM94
Yp53XCN6+24ZYKfk9jOV3hjR6e3LZj9YO0MNWw+nsofKrlxTpo2GLj8B1ro7AKta
lXnEbPlAqHs=
=NFds
-----END PGP SIGNATURE-----