Security update for Cloud7 packages

Announcement ID: SUSE-SU-2019:1450-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2017-1000433 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-1000433 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-1000872 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2018-1000872 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE Enterprise Storage 4
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE OpenStack Cloud 7

An update that solves two vulnerabilities, contains three features and has 13 security fixes can now be installed.

Description:

This update provides fixes for the following packages issues:

caasp-openstack-heat-templates:

  • Update to version 1.0+git.1553079189.3bf8922:
  • SCRD-2813 Add support for CPI parameters
  • Update to version 1.0+git.1547562889.43707e7:
  • Switch LB protocol from HTTP to HTTPS

crowbar:

  • Update to version 4.0+git.1551088848.823bcaa3:
  • install-chef-suse: filter comments from authorized_keys file

crowbar-core:

  • Update to version 4.0+git.1556285635.ab602dd4d:
  • network: run wicked ifdown for interface cleanup (bsc#1063535)
  • Update to version 4.0+git.1554931881.d98412e0e:
  • Fix cloud-mkcloud9-job-backup-restore (SCRD-7126)
  • Update to version 4.0+git.1552239940.5bc9aaac4:
  • crowbar: Do not rely on Chef::Util::FileEdit to write the file (bsc#1127752)
  • Update to version 4.0+git.1550493400.9787ea9ad:
  • upgrade: Delay status switch after upgrade ends
  • Update to version 4.0+git.1549474445.d9a35cf52:
  • fix hound warning
  • Support RAID 0
  • Packaged default upgrade timeouts file
  • Update to version 4.0+git.1549136953.afcde921f:
  • apache2: enable sslsessioncache
  • Update to version 4.0+git.1548859099.0edbbfdc2:
  • upgrade: Add default upgrade timeouts file

crowbar-ha:

  • Update to version 4.0+git.1556181005.47c643d:
  • pacemaker: wait more for founder if SBD is configured (SCRD-8462)
  • pacemaker: don't check cluster members on founder (SCRD-8462)
  • Update to version 4.0+git.1554215159.8a42a71:
  • improve galera HA setup (bsc#1122875)

crowbar-openstack:

  • Update to version 4.0+git.1554887450.ff7c30c1c:
  • neutron: Added option to use L3 HA with Keepalived
  • Update to version 4.0+git.1554843756.5622551da:
  • ironic: Fix regression in helper
  • Update to version 4.0+git.1554814630.ec3c89f25:
  • ceilometer: Install package which contains cron file (bsc#1130414)
  • Update to version 4.0+git.1551459192.89433e13b:
  • rabbit: fix mirroring regex
  • Update to version 4.0+git.1550582615.f6b433ec7:
  • ceilometer: Use pacemaker to handle expirer cron link (bsc#1113107)
  • Update to version 4.0+git.1550262335.9667fa580:
  • mysql: Do not set a custom logfile for mysqld (bsc#1112767)
  • mysql: create .my.cnf in root home directory for mysql cmdline
  • Update to version 4.0+git.1549986893.df836d6cc:
  • mariadb: Remove installing the xtrabackup package
  • ssl: Fix ACL setup in ssl_setup provider (bsc#1123709)

galera-python-clustercheck:

  • readtimeout.patch: Add socket read timeout (bsc#1122053)

openstack-ceilometer:

  • Install openstack-ceilometer-expirer.cron into /usr/share/ceilometer This is needed in a clustered environment where multiple ceilometer-collector services are installed on different nodes (and due to that multiple expirer cron jobs installed). That can lead to deadlocks when the cron jobs run in parallel on the different nodes (bsc#1113107)

openstack-heat-gbp:

  • switch to newton branch

python-PyKMIP:

  • Fix a denial-of-service bug by setting the server socket timeout (bsc#1120767 CVE-2018-1000872)

python-pysaml2:

  • Fix for the authentication bypass due to optimizations (CVE-2017-1000433, bsc#1074662)

rubygem-crowbar-client:

  • Update to 3.9.0
  • Add support for the restricted APIs
  • Add --raw to "proposal show" and "proposal edit"
  • Correctly parse error messages that we don't handle natively
  • Better upgrade repocheck output
  • Update to 3.7.0
  • upgrade: Use cloud_version config for upgrade
  • ses: Add ses upload subcommand
  • Add cloud_version config field.
  • Wrap os-release file parsing for better reuse.
  • upgrade: Fix repocheck component in error message
  • upgrade: Better repocheck output
  • updated to version 3.6.1
  • Hide the database step when it is not used (bsc#1118004)
  • Fix help strings
  • Describe how to upgrade more nodes with one command

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE OpenStack Cloud 7
    zypper in -t patch SUSE-OpenStack-Cloud-7-2019-1450=1
  • SUSE Enterprise Storage 4
    zypper in -t patch SUSE-Storage-4-2019-1450=1

Package List:

  • SUSE OpenStack Cloud 7 (noarch)
    • caasp-openstack-heat-templates-1.0+git.1553079189.3bf8922-1.6.2
    • python-PyKMIP-0.5.0-3.3.3
    • python-heat-gbp-5.1.1~dev1-2.6.3
    • python-ceilometer-7.1.1~dev4-4.15.3
    • crowbar-openstack-4.0+git.1554887450.ff7c30c1c-9.51.3
    • openstack-ceilometer-agent-compute-7.1.1~dev4-4.15.3
    • openstack-ceilometer-agent-ipmi-7.1.1~dev4-4.15.3
    • openstack-ceilometer-polling-7.1.1~dev4-4.15.3
    • openstack-ceilometer-doc-7.1.1~dev4-4.15.3
    • openstack-heat-gbp-5.1.1~dev1-2.6.3
    • crowbar-4.0+git.1551088848.823bcaa3-7.29.2
    • crowbar-ha-4.0+git.1556181005.47c643d-4.46.3
    • openstack-ceilometer-7.1.1~dev4-4.15.3
    • openstack-ceilometer-api-7.1.1~dev4-4.15.3
    • python-pysaml2-4.0.2-3.6.3
    • openstack-ceilometer-agent-central-7.1.1~dev4-4.15.3
    • openstack-ceilometer-collector-7.1.1~dev4-4.15.3
    • crowbar-devel-4.0+git.1551088848.823bcaa3-7.29.2
    • openstack-ceilometer-agent-notification-7.1.1~dev4-4.15.3
    • galera-python-clustercheck-0.0+git.1506329536.8f5878c-1.6.2
  • SUSE OpenStack Cloud 7 (x86_64)
    • crowbar-core-branding-upstream-4.0+git.1556285635.ab602dd4d-9.46.3
    • crowbar-core-4.0+git.1556285635.ab602dd4d-9.46.3
    • ruby2.1-rubygem-crowbar-client-3.9.0-7.14.2
  • SUSE Enterprise Storage 4 (aarch64 x86_64)
    • crowbar-core-4.0+git.1556285635.ab602dd4d-9.46.3
    • ruby2.1-rubygem-crowbar-client-3.9.0-7.14.2
  • SUSE Enterprise Storage 4 (noarch)
    • crowbar-4.0+git.1551088848.823bcaa3-7.29.2

References: