Security update for crowbar-core, crowbar-openstack, grafana, influxdb, openstack-heat-templates, openstack-nova, python-Jinja2

Announcement ID:	SUSE-SU-2021:0056-1
Rating:	important
References:	bsc#1117080 bsc#1125815 bsc#1132174 bsc#1132323 bsc#1178243 bsc#1178988 bsc#1179161 jsc#SOC-11240
Cross-References:	CVE-2016-10745 CVE-2018-17954 CVE-2019-10906 CVE-2019-20933 CVE-2019-8341 CVE-2020-24303
CVSS scores:	CVE-2016-10745 ( SUSE ): 8.7 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVE-2016-10745 ( NVD ): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2018-17954 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-17954 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-10906 ( SUSE ): 8.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L CVE-2019-10906 ( NVD ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2019-10906 ( NVD ): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2019-20933 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-20933 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-8341 ( SUSE ): 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVE-2019-8341 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-8341 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-24303 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2020-24303 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products:	HPE Helion OpenStack 8 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Server 12 SP3 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8

An update that solves six vulnerabilities, contains one feature and has one security fix can now be installed.

Description:

This update for crowbar-core, crowbar-openstack, grafana, influxdb, openstack-heat-templates, openstack-nova, python-Jinja2 fixes the following issues:

Security fixes included in this request:

grafana: - CVE-2020-24303: Fixed an XXS with series overides. (bsc#1178243)

influxdb: - CVE-2019-20933: Fixed an authentication bypass. (bsc#1178988)

python-Jinja2: - CVE-2019-10906, CVE-2019-8341, CVE-2016-10745: "SandboxedEnvironment" securely handles "str.format_map" in order to prevent code execution through untrusted format strings. (bsc#1132323, bsc#1125815, bsc#1132174)

Non-security fixes included in this request:

Changes in crowbar-core.SUSE_SLE-12-SP3_Update_Products_Cloud8: - Update to version 5.0+git.1606840757.839a64745: * ntp: Do not use rate-limiting (bsc#1179161)

Changes in crowbar-openstack.SUSE_SLE-12-SP3_Update_Products_Cloud8: - Update to version 5.0+git.1604938523.ded915845: * rabbitmq: Fix crm running check (SOC-11240)

Changes in grafana.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update: - Fix bsc#1178243 CVE-2020-24303 by adding 25401-Fix-XSS-vulnerability-with-series-overrides.patch

Changes in influxdb.SUSE_SLE-12-SP3_Update_Products_Cloud8: - Add CVE-2019-20933.patch (bsc#1178988, CVE-2019-20933) to fix authentication bypass - Declare license files correctly

Changes in openstack-heat-templates.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update: - Update to version 0.0.0+git.1605509190.64f020b: * Fix software config on rdo * optimize size and time using --no-cache-dir * add template for servers using Octavia

Update to version 0.0.0+git.1604032742.c5733ee:
Move heat-templates-check job to zuul v3

Changes in openstack-nova-doc.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update: - Update to version nova-16.1.9.dev77: * Follow up for cherry-pick check for merge patch

Changes in openstack-nova.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update: - Update to version nova-16.1.9.dev77: * Follow up for cherry-pick check for merge patch

Changes in python-Jinja2.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update: - add 0001-sandbox-str.format_map.patch (bsc#1132323, CVE-2019-10906, bsc#1125815, CVE-2019-8341) * "SandboxedEnvironment" securely handles "str.format_map" in order to prevent code execution through untrusted format strings. The sandbox already handled "str.format". - add 0001-SECURITY-support-sandboxing-in-format-expressions.patch (bsc#1132174, CVE-2016-10745)

Allows Recommends and Suggest in Fedora
Recommends only for SUSE

Changes in rubygem-crowbar-client:

Update to 3.9.3
Enable restricted commands for Cloud 7 (bsc#1117080, CVE-2018-17954)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

HPE Helion OpenStack 8
zypper in -t patch HPE-Helion-OpenStack-8-2021-56=1
SUSE OpenStack Cloud 8
zypper in -t patch SUSE-OpenStack-Cloud-8-2021-56=1
SUSE OpenStack Cloud Crowbar 8
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-56=1

Package List:

HPE Helion OpenStack 8 (x86_64)
- influxdb-1.3.4-4.3.1
- grafana-debuginfo-6.7.4-4.15.1
- influxdb-debugsource-1.3.4-4.3.1
- grafana-6.7.4-4.15.1
- influxdb-debuginfo-1.3.4-4.3.1
HPE Helion OpenStack 8 (noarch)
- openstack-nova-16.1.9~dev77-3.42.1
- venv-openstack-neutron-x86_64-11.0.9~dev69-13.34.1
- openstack-nova-novncproxy-16.1.9~dev77-3.42.1
- venv-openstack-octavia-x86_64-1.0.6~dev3-12.31.1
- venv-openstack-cinder-x86_64-11.2.3~dev29-14.32.1
- openstack-nova-api-16.1.9~dev77-3.42.1
- venv-openstack-glance-x86_64-15.0.3~dev3-12.29.1
- openstack-nova-scheduler-16.1.9~dev77-3.42.1
- openstack-nova-vncproxy-16.1.9~dev77-3.42.1
- python-nova-16.1.9~dev77-3.42.1
- venv-openstack-trove-x86_64-8.0.2~dev2-11.30.1
- venv-openstack-ironic-x86_64-9.1.8~dev8-12.31.1
- venv-openstack-murano-x86_64-4.0.2~dev2-12.26.1
- openstack-nova-doc-16.1.9~dev77-3.42.1
- venv-openstack-heat-x86_64-9.0.8~dev22-12.31.1
- venv-openstack-monasca-x86_64-2.2.2~dev1-11.26.1
- openstack-nova-serialproxy-16.1.9~dev77-3.42.1
- venv-openstack-aodh-x86_64-5.1.1~dev7-12.30.1
- venv-openstack-barbican-x86_64-5.0.2~dev3-12.31.1
- openstack-nova-conductor-16.1.9~dev77-3.42.1
- venv-openstack-manila-x86_64-5.1.1~dev5-12.35.1
- venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.26.1
- openstack-nova-consoleauth-16.1.9~dev77-3.42.1
- venv-openstack-keystone-x86_64-12.0.4~dev11-11.32.1
- venv-openstack-sahara-x86_64-7.0.5~dev4-11.30.1
- venv-openstack-designate-x86_64-5.0.3~dev7-12.29.1
- openstack-nova-console-16.1.9~dev77-3.42.1
- openstack-nova-placement-api-16.1.9~dev77-3.42.1
- openstack-heat-templates-0.0.0+git.1605509190.64f020b-3.18.1
- venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.28.1
- venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.26.1
- openstack-nova-cells-16.1.9~dev77-3.42.1
- venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.30.1
- openstack-nova-compute-16.1.9~dev77-3.42.1
- python-Jinja2-2.9.6-3.3.1
- venv-openstack-nova-x86_64-16.1.9~dev77-11.32.1
SUSE OpenStack Cloud 8 (x86_64)
- influxdb-1.3.4-4.3.1
- grafana-debuginfo-6.7.4-4.15.1
- grafana-6.7.4-4.15.1
- influxdb-debugsource-1.3.4-4.3.1
- influxdb-debuginfo-1.3.4-4.3.1
SUSE OpenStack Cloud 8 (noarch)
- openstack-nova-16.1.9~dev77-3.42.1
- venv-openstack-neutron-x86_64-11.0.9~dev69-13.34.1
- openstack-nova-novncproxy-16.1.9~dev77-3.42.1
- venv-openstack-octavia-x86_64-1.0.6~dev3-12.31.1
- venv-openstack-cinder-x86_64-11.2.3~dev29-14.32.1
- openstack-nova-api-16.1.9~dev77-3.42.1
- venv-openstack-glance-x86_64-15.0.3~dev3-12.29.1
- openstack-nova-scheduler-16.1.9~dev77-3.42.1
- openstack-nova-vncproxy-16.1.9~dev77-3.42.1
- python-nova-16.1.9~dev77-3.42.1
- venv-openstack-trove-x86_64-8.0.2~dev2-11.30.1
- venv-openstack-ironic-x86_64-9.1.8~dev8-12.31.1
- venv-openstack-murano-x86_64-4.0.2~dev2-12.26.1
- openstack-nova-doc-16.1.9~dev77-3.42.1
- venv-openstack-heat-x86_64-9.0.8~dev22-12.31.1
- venv-openstack-monasca-x86_64-2.2.2~dev1-11.26.1
- openstack-nova-serialproxy-16.1.9~dev77-3.42.1
- venv-openstack-aodh-x86_64-5.1.1~dev7-12.30.1
- venv-openstack-barbican-x86_64-5.0.2~dev3-12.31.1
- openstack-nova-conductor-16.1.9~dev77-3.42.1
- venv-openstack-manila-x86_64-5.1.1~dev5-12.35.1
- venv-openstack-monasca-ceilometer-x86_64-1.5.1_1.5.1_1.5.1~dev3-8.26.1
- openstack-nova-consoleauth-16.1.9~dev77-3.42.1
- venv-openstack-keystone-x86_64-12.0.4~dev11-11.32.1
- venv-openstack-sahara-x86_64-7.0.5~dev4-11.30.1
- venv-openstack-designate-x86_64-5.0.3~dev7-12.29.1
- openstack-nova-console-16.1.9~dev77-3.42.1
- openstack-nova-placement-api-16.1.9~dev77-3.42.1
- openstack-heat-templates-0.0.0+git.1605509190.64f020b-3.18.1
- venv-openstack-ceilometer-x86_64-9.0.8~dev7-12.28.1
- venv-openstack-freezer-x86_64-5.0.0.0~xrc2~dev2-10.26.1
- openstack-nova-cells-16.1.9~dev77-3.42.1
- venv-openstack-magnum-x86_64-5.0.2_5.0.2_5.0.2~dev31-11.30.1
- openstack-nova-compute-16.1.9~dev77-3.42.1
- python-Jinja2-2.9.6-3.3.1
- venv-openstack-nova-x86_64-16.1.9~dev77-11.32.1
SUSE OpenStack Cloud Crowbar 8 (noarch)
- openstack-nova-cells-16.1.9~dev77-3.42.1
- openstack-nova-scheduler-16.1.9~dev77-3.42.1
- openstack-nova-consoleauth-16.1.9~dev77-3.42.1
- openstack-nova-vncproxy-16.1.9~dev77-3.42.1
- openstack-nova-compute-16.1.9~dev77-3.42.1
- openstack-nova-16.1.9~dev77-3.42.1
- python-Jinja2-2.9.6-3.3.1
- crowbar-openstack-5.0+git.1604938523.ded915845-4.46.1
- openstack-nova-novncproxy-16.1.9~dev77-3.42.1
- python-nova-16.1.9~dev77-3.42.1
- openstack-nova-placement-api-16.1.9~dev77-3.42.1
- openstack-nova-console-16.1.9~dev77-3.42.1
- openstack-nova-api-16.1.9~dev77-3.42.1
- openstack-nova-serialproxy-16.1.9~dev77-3.42.1
- openstack-heat-templates-0.0.0+git.1605509190.64f020b-3.18.1
- openstack-nova-doc-16.1.9~dev77-3.42.1
- openstack-nova-conductor-16.1.9~dev77-3.42.1
SUSE OpenStack Cloud Crowbar 8 (x86_64)
- crowbar-core-5.0+git.1606840757.839a64745-3.47.1
- influxdb-1.3.4-4.3.1
- grafana-debuginfo-6.7.4-4.15.1
- grafana-6.7.4-4.15.1
- influxdb-debugsource-1.3.4-4.3.1
- ruby2.1-rubygem-crowbar-client-3.9.3-3.15.1
- influxdb-debuginfo-1.3.4-4.3.1
- crowbar-core-branding-upstream-5.0+git.1606840757.839a64745-3.47.1

Security update for crowbar-core, crowbar-openstack, grafana, influxdb, openstack-heat-templates, openstack-nova, python-Jinja2

Description:

Patch Instructions:

Package List:

References: