Operating System:

[SUSE]

Published:

12 December 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4642
  SUSE-SU-2019:3270-1 Security update for caasp-openstack-heat-templates,
   crowbar-core, crowbar-openstack, crowbar-ui, etcd, flannel, galera-3,
       mariadb, mariadb-connector-c, openstack-dashboard-theme-SUSE,
  openstack-heat-templates, openstack-neutron, openstack-nova, openstack-
                             12 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SUSE OpenStack Cloud
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-2628 CVE-2019-2627 CVE-2019-2614
                   CVE-2017-1002201  

Reference:         ASB-2019.0120
                   ESB-2019.4229
                   ESB-2019.4224
                   ESB-2019.4124

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2019/suse-su-20193270-1.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for caasp-openstack-heat-templates,
crowbar-core, crowbar-openstack, crowbar-ui, etcd, flannel, galera-3, mariadb,
mariadb-connector-c, openstack-dashboard-theme-SUSE, openstack-heat-templates,
openstack-neutron, openstack-nova, openstack-quickstart, patterns-cloud,
python-oslo.messaging, python-osl

______________________________________________________________________________

Announcement ID:   SUSE-SU-2019:3270-1
Rating:            moderate
References:        #1075812 #1123053 #1126088 #1126428 #1129729 #1132666
                   #1136035 #1143215 #1152916 #1155089
Cross-References:  CVE-2017-1002201 CVE-2019-2614 CVE-2019-2627 CVE-2019-2628
Affected Products:
                   SUSE OpenStack Cloud 7
______________________________________________________________________________

o.utils, python-pysaml2

An update that solves four vulnerabilities and has 6 fixes is now available.

Description:

This update for caasp-openstack-heat-templates, crowbar-core,
crowbar-openstack, crowbar-ui, etcd, flannel, galera-3, mariadb,
mariadb-connector-c, openstack-dashboard-theme-SUSE, openstack-heat-templates,
openstack-neutron, openstack-nova, openstack-quickstart, patterns-cloud,
python-oslo.messaging, python-oslo.utils, python-pysaml2 fixes the following
issues:
Security fix for mariadb:

  o MariaDB was update to version 10.2.25 (bsc#1136035)
  o CVE-2019-2628: Fixed a remote denial of service by an privileged attacker
    (bsc#1136035).
  o CVE-2019-2627: Fixed another remote denial of service by an privileged
    attacker (bsc#1136035).
  o CVE-2019-2614: Fixed a potential remote denial of service by an privileged
    attacker (bsc#1136035).


  o adjust mysql-systemd-helper ("shutdown protected MySQL" section) so it
    checks both ping response and the pid in a process list as it can take some
    time till the process is terminated. Otherwise it can lead to "found
    left-over process" situation when regular mariadb is started [bsc#1143215]
  o update suse_skipped_tests.list


  o remove client_ed25519.so plugin because it's shipped in mariadb-connector-c
    package (libmariadb_plugins)
  o update suse_skipped_tests.list


  o update to 10.2.25 GA * Fixes for the following security vulnerabilities: *
    10.2.23: none * 10.2.24: CVE-2019-2628, CVE-2019-2627, CVE-2019-2614 *
    10.2.25: none * release notes and changelog: https://mariadb.com/kb/en/
    library/mariadb-10223-release-notes https://mariadb.com/kb/en/library/
    mariadb-10223-changelog https://mariadb.com/kb/en/library/
    mariadb-10224-release-notes https://mariadb.com/kb/en/library/
    mariadb-10224-changelog https://mariadb.com/kb/en/library/
    mariadb-10225-release-notes https://mariadb.com/kb/en/library/
    mariadb-10225-changelog
  o remove mariadb-10.2.22-fix_path.patch that was applied upstream in mariadb
    10.2.23
  o remove caching_sha2_password.so because it's shipped in mariadb-connector-c
    package (libmariadb_plugins)
  o remove xtrabackup scripts as it was replaced by mariabackup (we already
    removed xtrabackup requires in the first phase)
  o fix reading options for multiple instances if my${INSTANCE}.cnf is used.
    Also remove "umask 077" from mysql-systemd-helper that causes that new
    datadirs are created with wrong permissions. Set correct permissions for
    files created by us (mysql_upgrade_info, .run-mysql_upgrade) [bsc#1132666]
  o fix build comment to not refer to openSUSE
  o tracker bug [bsc#1136035]

  o Update to version 1.0+git.1560518045.ad7dc6d: * Patching node before
    bootstraping


  o Update to version 4.0+git.1573109906.0f62e9503: * Ignore CVE-2017-1002201
    in CI builds (bsc#1155089)


  o Update to version 4.0+git.1573038068.1e32b3205: * Make sure the input file
    with ssh key exists (SOC-10133) * mysql: fix WSREP sync race (SOC-10717) *
    mysql: stop service for mysql_install_db (SOC-10717)


  o Update to version 4.0+git.1571404877.8edf9dd5c: * Do not use obsoleted
    --endpoint-type option with CLI * [4.0] Configurable timeout for Galera
    pre-sync


  o Switch to stable/7-8 branch


  o Update to 25.3.25: * A new Galera configuration parameter
    cert.optimistic_pa was added. If the parameter value is set to true, full
    parallelization in applying write sets is allowed as determined by
    certification algorithm. If set to false, no more parallelism is allowed in
    applying than seen on the master. * Support for ECDH OpenSSL engines on
    CentOS 6 (galera#520) * Fixed compilation on Debian testing and unstable
    (galera#516, galera#528)


  o Add unescape_IPv6_bind_ip.patch *

https://github.com/dciabrin/galera-1/commit/0f6f8aeeb09809280c956514cfd5844
b8acad4f9

  o remove galera-3-25.3.23-scons_fixes.patch (merged upstream)
  o update to 25.3.24: * A support for new certification key type was added to
    allow more relaxed certification rules for foreign key references (galera#
    491). * New status variables were added to display the number of open
    transactions and referenced client connections inside Galera provider
    (galera#492). * GCache was sometimes cleared unnecessarily on startup if
    the recovered state had smaller sequence number than the highest found from
    GCache. Now only entries with sequence number higher than recovery point
    will be cleared (galera#498). * Non-primary configuration is saved into
    grastate.dat only when if the node is in closing state (galera#499). *
    Exception from GComm was not always handled properly resulting in Galera to
    remain in half closed state. This was fixed by propagating the error
    condition appropriately to upper layers (galera#500). * A new status
    variable displaying the total weight of the cluster nodes was added (galera
    #501). * The value of pc.weight did not reflect the actual effective value
    after setting it via wsrep_provider_options. This was fixed by making sure
    that the new value is taken into use before returning the control back to
    caller (galera#505, MDEV-11959) * Use of ECHD algorithms with old OpenSSL
    versions was enabled (galera#511). * Default port value is now used by
    garbd if the port is not explicitly given in cluster address (MDEV-15531).
    * Correct error handling for posix_fallocate(). * Failed causal reads are
    retried during configuration changes.


  o New upstream version 3.1.2 [bsc#1136035] * CONC-383: client plugins can't
    be loaded due to missing prefix * Fixed version setting in GnuTLS by moving
    "NORMAL" at the end of priority string * CONC-386: Added support for pem
    files which contain certificate and private key. * Replication/Binlog API:
    The main mechanism used in replication is the binary log. * CONC-395:
    Dashes and underscores are not interchangeable in options in my.cnf *
    CONC-384: Incorrect packet when a connection attribute name or value is
    equal to or greater than 251 * CONC-388: field->def_length is always set to
    0 * Getter should get and the setter should set
    CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS * Disable LOAD DATA LOCAL INFILE
    support by default and auto-enable it for the duration of one query, if the
    query string starts with the word "load". In all other cases the
    application should enable LOAD DATA LOCAL INFILE support explicitly. *
    Changed return code for mysql_optionv/mysql_get_optionv to 1 (was -1) and
    added CR_NOT_IMPLEMENTED error message if a option is unknown or not
    supported. * mingw fix: use lowercase names for include files * CONC-375:
    Fixed handshake errors when mixing TLSv1.3 cipher suites with cipher suites
    from other TLS protocols * CONC-312: Added new caching_sha2_password
    authentication plugin for authentication with MySQL 8.0
  o refresh mariadb-connector-c-2.3.1_unresolved_symbols.patch and
    private_library.patch
  o pack caching_sha2_password.so and client_ed25519.so
  o move libmariadb.pc from /usr/lib/pkgconfig to /usr/lib64/pkgconfig for
    x86_64 [bsc#1126088]


  o Switch to new GitHub repo


  o Add trigger for openstack-horizon-plugin-murano-ui
  o Update to version 0.0.0+git.1515995585.81ed236: * Migrate templates job to
    Zuul v3


  o add 0001-set_db_attribute-differs-between-vsctl-and-native.patch (bsc#
    1152916) part of lp#1630920


  o add copytruncate to openstack-neutron.logrotate (bsc#1126428)


  o Add 0001-When-converting-sg-rules-to-iptables-do-not-emit-dpo.patch (bsc#
    1129729)


  o Add back the HA related patches that we removed to debug(SOC-10092) Add
    0001-Keep-HA-ports-info-for-HA-router-during-entire-lifecycle.patch
    backported from https://review.opendev.org/#/c/659644/1 Add
    0001-Async-notify-neutron-server-for-HA-states.patch backported from https:
    //review.opendev.org/#/c/658507/1 Add
    0001-Change-duplicate-OVS-bridge-datapath-ids.patch backported from https:/
    /review.opendev.org/#/c/649192/3 Add
    0001-Choose-random-value-for-HA-routes-vr_id.patch backported from https://
    review.opendev.org/#/c/651988/2


  o add copytruncate to openstack-nova.logrorate (bsc#1126428)


  o Update to version 2016.2+git.1492839294.d76879d: * Setup monasca-agent


  o Update to version 2016.2+git.1492611783.2908851: * Adding support for
    monasca


  o Update to version 2016.2+git.1490964440.09a9673: * Move aliases inside
    Keystone vhost configuration


  o Update to version 2016.2+git.1486720712.bea5be9: * Use qemu instead of lxc
    as virt_type fallback * Check for net/subnet/router existance before
    creating it * Use get_or_*() functions for Heat


  o skip magnum service image for non-x86_64


  o add 0001-Suppress-excessive-debug-logs-when-consume-rabbit (bsc#1123053):
  o Add adjust-to-setuptools-8-plus.patch (SOC-10947): this patch fixes
    oslo.utils breakage caused by the more recent python-setuptools version
    introduced by (bsc#1075812).


  o Revert change on using license macro from previous commit.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE OpenStack Cloud 7:
    zypper in -t patch SUSE-OpenStack-Cloud-7-2019-3270=1

Package List:

  o SUSE OpenStack Cloud 7 (aarch64 s390x x86_64):
       crowbar-core-4.0+git.1573109906.0f62e9503-9.57.2
       crowbar-core-branding-upstream-4.0+git.1573109906.0f62e9503-9.57.2
       galera-3-wsrep-provider-25.3.25-11.1
       galera-3-wsrep-provider-debuginfo-25.3.25-11.1
       mariadb-10.2.25-13.1
       mariadb-client-10.2.25-13.1
       mariadb-client-debuginfo-10.2.25-13.1
       mariadb-debuginfo-10.2.25-13.1
       mariadb-debugsource-10.2.25-13.1
       mariadb-tools-10.2.25-13.1
       mariadb-tools-debuginfo-10.2.25-13.1
       patterns-cloud-admin-20170124-4.6.1
       patterns-cloud-compute-20170124-4.6.1
       patterns-cloud-controller-20170124-4.6.1
       patterns-cloud-network-20170124-4.6.1
       patterns-cloud-user-20170124-4.6.1
  o SUSE OpenStack Cloud 7 (s390x x86_64):
       libmariadb3-3.1.2-1.9.1
  o SUSE OpenStack Cloud 7 (noarch):
       caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-1.9.1
       crowbar-openstack-4.0+git.1573038068.1e32b3205-9.62.2
       crowbar-ui-1.1.0+git.1547500033.d0fb2bf2-4.12.1
       mariadb-errormessages-10.2.25-13.1
       openstack-dashboard-theme-SUSE-2016.2-5.9.2
       openstack-heat-templates-0.0.0+git.1515995585.81ed236-12.1
       openstack-neutron-9.4.2~dev21-7.35.3
       openstack-neutron-dhcp-agent-9.4.2~dev21-7.35.3
       openstack-neutron-doc-9.4.2~dev21-7.35.1
       openstack-neutron-ha-tool-9.4.2~dev21-7.35.3
       openstack-neutron-l3-agent-9.4.2~dev21-7.35.3
       openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.35.3
       openstack-neutron-macvtap-agent-9.4.2~dev21-7.35.3
       openstack-neutron-metadata-agent-9.4.2~dev21-7.35.3
       openstack-neutron-metering-agent-9.4.2~dev21-7.35.3
       openstack-neutron-openvswitch-agent-9.4.2~dev21-7.35.3
       openstack-neutron-server-9.4.2~dev21-7.35.3
       openstack-nova-14.0.11~dev13-4.37.3
       openstack-nova-api-14.0.11~dev13-4.37.3
       openstack-nova-cells-14.0.11~dev13-4.37.3
       openstack-nova-cert-14.0.11~dev13-4.37.3
       openstack-nova-compute-14.0.11~dev13-4.37.3
       openstack-nova-conductor-14.0.11~dev13-4.37.3
       openstack-nova-console-14.0.11~dev13-4.37.3
       openstack-nova-consoleauth-14.0.11~dev13-4.37.3
       openstack-nova-doc-14.0.11~dev13-4.37.2
       openstack-nova-novncproxy-14.0.11~dev13-4.37.3
       openstack-nova-placement-api-14.0.11~dev13-4.37.3
       openstack-nova-scheduler-14.0.11~dev13-4.37.3
       openstack-nova-serialproxy-14.0.11~dev13-4.37.3
       openstack-nova-vncproxy-14.0.11~dev13-4.37.3
       python-neutron-9.4.2~dev21-7.35.3
       python-nova-14.0.11~dev13-4.37.3
       python-oslo.messaging-5.10.2-3.12.1
       python-oslo.utils-3.16.1-3.6.1
       python-pysaml2-4.0.2-3.14.1
  o SUSE OpenStack Cloud 7 (x86_64):
       mariadb-galera-10.2.25-13.1


References:

  o https://www.suse.com/security/cve/CVE-2017-1002201.html
  o https://www.suse.com/security/cve/CVE-2019-2614.html
  o https://www.suse.com/security/cve/CVE-2019-2627.html
  o https://www.suse.com/security/cve/CVE-2019-2628.html
  o https://bugzilla.suse.com/1075812
  o https://bugzilla.suse.com/1123053
  o https://bugzilla.suse.com/1126088
  o https://bugzilla.suse.com/1126428
  o https://bugzilla.suse.com/1129729
  o https://bugzilla.suse.com/1132666
  o https://bugzilla.suse.com/1136035
  o https://bugzilla.suse.com/1143215
  o https://bugzilla.suse.com/1152916
  o https://bugzilla.suse.com/1155089

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfGQjmaOgq3Tt24GAQiUbA/8D4ESSIgVfuf1BwKPgZwWYLBacujKUrKo
VdB88Zs7p07Zo9XnPDCRQedbTpjlO1OKGeyueMVOGBC2kUlMZIdYWpWFNV9iuQtJ
T+ARNzGBb26bp64LxJyhiwSnRDN1pgC76b21eBvgn4ZAG3CxDANYf/2y5EWeFR4P
O9k7LHmGf5eGBQAYpDWQRyz649wl+F1bDQma/hha4p7AfkDTfqB/+ValI8tXdYCZ
qkIKQKL8JarfPDPgLvuXlyZg/DSGX8XPE7tw10ER+dkWoMHaHHHDcDOX4FEP29kk
lPy6H7peIN32ReUebsq3iSnexa+PFtdShpLBfuzLFvdlNBbOZuc1Sh81/hP00i1c
3RtbmZQIWz6nz3+qEA55pB9S69qsfO+vUQ9Gqa6e6YTqaEdGOVVlJhlBHkSZrbLL
jiT43pWjm8GtovJ24AezIGPqpQ81v2AZimcJM/UhXX94a4dvpBfFiFrZgz013U7k
/m2LGahfTD/hUpqxSHi9OO3suL1cXJc4D7ltcpmSuvcEQ8X3xyh6we1Q+lopjhVM
g/oHEBTzrdRXfnsXmqTNbA27bDMmgJ1prLGfhRkl4GsZ7u9pRzrDfaZ4rYjfU87Y
yFFI40YEK3jyIbxbFw66vXUojIgA+PNWlvpLw8eZk5OS0IfaZ2DIqcHkduC9Mq1t
/gZNdcGsQ78=
=ZS/M
-----END PGP SIGNATURE-----