Security update for caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, crowbar-ui, etcd, flannel, galera-3, mariadb, mariadb-connector-c, openstack-dashboard-theme-SUSE, openstack-heat-t

Announcement ID:	SUSE-SU-2019:3270-1
Rating:	moderate
References:	bsc#1075812 bsc#1123053 bsc#1126088 bsc#1126428 bsc#1129729 bsc#1132666 bsc#1136035 bsc#1143215 bsc#1152916 bsc#1155089 jsc#SOC-10092 jsc#SOC-10133 jsc#SOC-10717 jsc#SOC-10947
Cross-References:	CVE-2017-1002201 CVE-2019-2614 CVE-2019-2627 CVE-2019-2628
CVSS scores:	CVE-2017-1002201 ( SUSE ): 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2017-1002201 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-2614 ( SUSE ): 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2614 ( NVD ): 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2614 ( NVD ): 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2627 ( SUSE ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2627 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2627 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2628 ( SUSE ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2628 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2628 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE OpenStack Cloud 7

An update that solves four vulnerabilities, contains four features and has six security fixes can now be installed.

Description:

This update for caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, crowbar-ui, etcd, flannel, galera-3, mariadb, mariadb-connector-c, openstack-dashboard-theme-SUSE, openstack-heat-templates, openstack-neutron, openstack-nova, openstack-quickstart, patterns-cloud, python-oslo.messaging, python-oslo.utils, python-pysaml2 fixes the following issues:

Security fix for mariadb:

• MariaDB was update to version 10.2.25 (bsc#1136035)
• CVE-2019-2628: Fixed a remote denial of service by an privileged attacker (bsc#1136035).
• CVE-2019-2627: Fixed another remote denial of service by an privileged attacker (bsc#1136035).

• CVE-2019-2614: Fixed a potential remote denial of service by an privileged attacker (bsc#1136035).

• adjust mysql-systemd-helper ("shutdown protected MySQL" section) so it checks both ping response and the pid in a process list as it can take some time till the process is terminated. Otherwise it can lead to "found left-over process" situation when regular mariadb is started [bsc#1143215]

• update suse_skipped_tests.list

• remove client_ed25519.so plugin because it's shipped in mariadb-connector-c package (libmariadb_plugins)

• update suse_skipped_tests.list

• update to 10.2.25 GA

• Fixes for the following security vulnerabilities:
  • 10.2.23: none
  • 10.2.24: CVE-2019-2628, CVE-2019-2627, CVE-2019-2614
  • 10.2.25: none
• release notes and changelog: https://mariadb.com/kb/en/library/mariadb-10223-release-notes https://mariadb.com/kb/en/library/mariadb-10223-changelog https://mariadb.com/kb/en/library/mariadb-10224-release-notes https://mariadb.com/kb/en/library/mariadb-10224-changelog https://mariadb.com/kb/en/library/mariadb-10225-release-notes https://mariadb.com/kb/en/library/mariadb-10225-changelog
• remove mariadb-10.2.22-fix_path.patch that was applied upstream in mariadb 10.2.23
• remove caching_sha2_password.so because it's shipped in mariadb-connector-c package (libmariadb_plugins)
• remove xtrabackup scripts as it was replaced by mariabackup (we already removed xtrabackup requires in the first phase)
• fix reading options for multiple instances if my${INSTANCE}.cnf is used. Also remove "umask 077" from mysql-systemd-helper that causes that new datadirs are created with wrong permissions. Set correct permissions for files created by us (mysql_upgrade_info, .run-mysql_upgrade) [bsc#1132666]
• fix build comment to not refer to openSUSE

• tracker bug [bsc#1136035]

• Update to version 1.0+git.1560518045.ad7dc6d:

• Patching node before bootstraping

• Update to version 4.0+git.1573109906.0f62e9503:

• Ignore CVE-2017-1002201 in CI builds (bsc#1155089)

• Update to version 4.0+git.1573038068.1e32b3205:

• Make sure the input file with ssh key exists (SOC-10133)
• mysql: fix WSREP sync race (SOC-10717)

• mysql: stop service for mysql_install_db (SOC-10717)

• Update to version 4.0+git.1571404877.8edf9dd5c:

• Do not use obsoleted --endpoint-type option with CLI

• [4.0] Configurable timeout for Galera pre-sync

• Switch to stable/7-8 branch

• Update to 25.3.25:

• A new Galera configuration parameter cert.optimistic_pa was added. If the parameter value is set to true, full parallelization in applying write sets is allowed as determined by certification algorithm. If set to false, no more parallelism is allowed in applying than seen on the master.
• Support for ECDH OpenSSL engines on CentOS 6 (galera#520)

• Fixed compilation on Debian testing and unstable (galera#516, galera#528)

• Add unescape_IPv6_bind_ip.patch

• https://github.com/dciabrin/galera-1/commit/0f6f8aeeb09809280c956514cfd5844b8acad4f9

• remove galera-3-25.3.23-scons_fixes.patch (merged upstream)

• update to 25.3.24:
• A support for new certification key type was added to allow more relaxed certification rules for foreign key references (galera#491).
• New status variables were added to display the number of open transactions and referenced client connections inside Galera provider (galera#492).
• GCache was sometimes cleared unnecessarily on startup if the recovered state had smaller sequence number than the highest found from GCache. Now only entries with sequence number higher than recovery point will be cleared (galera#498).
• Non-primary configuration is saved into grastate.dat only when if the node is in closing state (galera#499).
• Exception from GComm was not always handled properly resulting in Galera to remain in half closed state. This was fixed by propagating the error condition appropriately to upper layers (galera#500).
• A new status variable displaying the total weight of the cluster nodes was added (galera#501).
• The value of pc.weight did not reflect the actual effective value after setting it via wsrep_provider_options. This was fixed by making sure that the new value is taken into use before returning the control back to caller (galera#505, MDEV-11959)
• Use of ECHD algorithms with old OpenSSL versions was enabled (galera#511).
• Default port value is now used by garbd if the port is not explicitly given in cluster address (MDEV-15531).
• Correct error handling for posix_fallocate().

• Failed causal reads are retried during configuration changes.

• New upstream version 3.1.2 [bsc#1136035]

• CONC-383: client plugins can't be loaded due to missing prefix
• Fixed version setting in GnuTLS by moving "NORMAL" at the end of priority string
• CONC-386: Added support for pem files which contain certificate and private key.
• Replication/Binlog API: The main mechanism used in replication is the binary log.
• CONC-395: Dashes and underscores are not interchangeable in options in my.cnf
• CONC-384: Incorrect packet when a connection attribute name or value is equal to or greater than 251
• CONC-388: field->def_length is always set to 0
• Getter should get and the setter should set CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS
• Disable LOAD DATA LOCAL INFILE support by default and auto-enable it for the duration of one query, if the query string starts with the word "load". In all other cases the application should enable LOAD DATA LOCAL INFILE support explicitly.
• Changed return code for mysql_optionv/mysql_get_optionv to 1 (was -1) and added CR_NOT_IMPLEMENTED error message if a option is unknown or not supported.
• mingw fix: use lowercase names for include files
• CONC-375: Fixed handshake errors when mixing TLSv1.3 cipher suites with cipher suites from other TLS protocols
• CONC-312: Added new caching_sha2_password authentication plugin for authentication with MySQL 8.0
• refresh mariadb-connector-c-2.3.1_unresolved_symbols.patch and private_library.patch
• pack caching_sha2_password.so and client_ed25519.so

• move libmariadb.pc from /usr/lib/pkgconfig to /usr/lib64/pkgconfig for x86_64 [bsc#1126088]

• Switch to new GitHub repo

• Add trigger for openstack-horizon-plugin-murano-ui

• Update to version 0.0.0+git.1515995585.81ed236:

• Migrate templates job to Zuul v3

• add 0001-set_db_attribute-differs-between-vsctl-and-native.patch (bsc#1152916) part of lp#1630920

• add copytruncate to openstack-neutron.logrotate (bsc#1126428)

• Add 0001-When-converting-sg-rules-to-iptables-do-not-emit-dpo.patch (bsc#1129729)

• Add back the HA related patches that we removed to debug(SOC-10092) Add 0001-Keep-HA-ports-info-for-HA-router-during-entire-lifecycle.patch backported from https://review.opendev.org/#/c/659644/1 Add 0001-Async-notify-neutron-server-for-HA-states.patch backported from https://review.opendev.org/#/c/658507/1 Add 0001-Change-duplicate-OVS-bridge-datapath-ids.patch backported from https://review.opendev.org/#/c/649192/3 Add 0001-Choose-random-value-for-HA-routes-vr_id.patch backported from https://review.opendev.org/#/c/651988/2

• add copytruncate to openstack-nova.logrorate (bsc#1126428)

• Update to version 2016.2+git.1492839294.d76879d:

• Setup monasca-agent

• Update to version 2016.2+git.1492611783.2908851:

• Adding support for monasca

• Update to version 2016.2+git.1490964440.09a9673:

• Move aliases inside Keystone vhost configuration

• Update to version 2016.2+git.1486720712.bea5be9:

• Use qemu instead of lxc as virt_type fallback
• Check for net/subnet/router existance before creating it

• Use get_or_*() functions for Heat

• skip magnum service image for non-x86_64

• add 0001-Suppress-excessive-debug-logs-when-consume-rabbit (bsc#1123053):

• Add adjust-to-setuptools-8-plus.patch (SOC-10947): this patch fixes oslo.utils breakage caused by the more recent python-setuptools version introduced by (bsc#1075812).

• Revert change on using license macro from previous commit.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 7
  zypper in -t patch SUSE-OpenStack-Cloud-7-2019-3270=1

Package List:

• SUSE OpenStack Cloud 7 (noarch)
  • openstack-neutron-metadata-agent-9.4.2~dev21-7.35.3
  • openstack-neutron-server-9.4.2~dev21-7.35.3
  • openstack-nova-console-14.0.11~dev13-4.37.3
  • openstack-nova-compute-14.0.11~dev13-4.37.3
  • crowbar-openstack-4.0+git.1573038068.1e32b3205-9.62.2
  • openstack-neutron-macvtap-agent-9.4.2~dev21-7.35.3
  • openstack-nova-vncproxy-14.0.11~dev13-4.37.3
  • openstack-heat-templates-0.0.0+git.1515995585.81ed236-12.1
  • openstack-neutron-dhcp-agent-9.4.2~dev21-7.35.3
  • python-neutron-9.4.2~dev21-7.35.3
  • openstack-nova-novncproxy-14.0.11~dev13-4.37.3
  • openstack-neutron-metering-agent-9.4.2~dev21-7.35.3
  • openstack-neutron-doc-9.4.2~dev21-7.35.1
  • crowbar-ui-1.1.0+git.1547500033.d0fb2bf2-4.12.1
  • openstack-nova-api-14.0.11~dev13-4.37.3
  • openstack-nova-conductor-14.0.11~dev13-4.37.3
  • openstack-neutron-l3-agent-9.4.2~dev21-7.35.3
  • openstack-nova-cert-14.0.11~dev13-4.37.3
  • openstack-nova-consoleauth-14.0.11~dev13-4.37.3
  • python-nova-14.0.11~dev13-4.37.3
  • mariadb-errormessages-10.2.25-13.1
  • openstack-nova-placement-api-14.0.11~dev13-4.37.3
  • openstack-nova-cells-14.0.11~dev13-4.37.3
  • python-oslo.messaging-5.10.2-3.12.1
  • python-oslo.utils-3.16.1-3.6.1
  • openstack-neutron-openvswitch-agent-9.4.2~dev21-7.35.3
  • caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-1.9.1
  • openstack-neutron-9.4.2~dev21-7.35.3
  • openstack-nova-scheduler-14.0.11~dev13-4.37.3
  • openstack-dashboard-theme-SUSE-2016.2-5.9.2
  • openstack-nova-doc-14.0.11~dev13-4.37.2
  • python-pysaml2-4.0.2-3.14.1
  • openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.35.3
  • openstack-neutron-ha-tool-9.4.2~dev21-7.35.3
  • openstack-nova-14.0.11~dev13-4.37.3
  • openstack-nova-serialproxy-14.0.11~dev13-4.37.3
• SUSE OpenStack Cloud 7 (x86_64)
  • crowbar-core-4.0+git.1573109906.0f62e9503-9.57.2
  • crowbar-core-branding-upstream-4.0+git.1573109906.0f62e9503-9.57.2
  • mariadb-client-10.2.25-13.1
  • patterns-cloud-user-20170124-4.6.1
  • patterns-cloud-controller-20170124-4.6.1
  • mariadb-tools-debuginfo-10.2.25-13.1
  • mariadb-10.2.25-13.1
  • mariadb-debuginfo-10.2.25-13.1
  • mariadb-tools-10.2.25-13.1
  • mariadb-galera-10.2.25-13.1
  • patterns-cloud-compute-20170124-4.6.1
  • patterns-cloud-network-20170124-4.6.1
  • libmariadb3-3.1.2-1.9.1
  • patterns-cloud-admin-20170124-4.6.1
  • mariadb-client-debuginfo-10.2.25-13.1
  • mariadb-debugsource-10.2.25-13.1
  • galera-3-wsrep-provider-debuginfo-25.3.25-11.1
  • galera-3-wsrep-provider-25.3.25-11.1

References:

• https://www.suse.com/security/cve/CVE-2017-1002201.html
• https://www.suse.com/security/cve/CVE-2019-2614.html
• https://www.suse.com/security/cve/CVE-2019-2627.html
• https://www.suse.com/security/cve/CVE-2019-2628.html
• https://bugzilla.suse.com/show_bug.cgi?id=1075812
• https://bugzilla.suse.com/show_bug.cgi?id=1123053
• https://bugzilla.suse.com/show_bug.cgi?id=1126088
• https://bugzilla.suse.com/show_bug.cgi?id=1126428
• https://bugzilla.suse.com/show_bug.cgi?id=1129729
• https://bugzilla.suse.com/show_bug.cgi?id=1132666
• https://bugzilla.suse.com/show_bug.cgi?id=1136035
• https://bugzilla.suse.com/show_bug.cgi?id=1143215
• https://bugzilla.suse.com/show_bug.cgi?id=1152916
• https://bugzilla.suse.com/show_bug.cgi?id=1155089
• https://jira.suse.com/browse/SOC-10092
• https://jira.suse.com/browse/SOC-10133
• https://jira.suse.com/browse/SOC-10717
• https://jira.suse.com/browse/SOC-10947