Security update for openstack and python-oslo.utils

Announcement ID:	SUSE-SU-2015:1515-1
Rating:	low
References:	bsc#918784 bsc#920573 bsc#926596 bsc#928718 bsc#930574 bsc#931204 bsc#935892
Cross-References:	CVE-2014-9684
CVSS scores:
Affected Products:	SUSE Cloud 5

An update that solves one vulnerability and has six security fixes can now be installed.

Description:

This update provides the following fixes provided from the upstream OpenStack-project:

openstack-suse:
do not copy upstream python requirements to the package, we rely on Requires; upstream requirements.txt introduce version caps which we do not follow (bnc#920573)
openstack-sahara:
Fix getting heat stack in Sahara
Fixed scaling with new node group with auto sg
Open all ports for private network for auto SG
Fix for getting auth url for hadoop-swift
Fixed auto security group cleanup in case of creation error
Add list of open ports for Cloudera plugin
Add missed files for migrations in MANIFEST.in
Include launch_command.py in MANIFEST.in
Fix requires
openstack-keystone:
Updated hybrid backend to include fix for bsc#935892
Deal with PEP-0476 certificate chaining checking
Backport fixes for v3 API sample policy file (lp#1381809 and lp#1392155).
Install v3 sample policy into the doc directory
Update hybrid backend to include latest fixes for v3 protocol (bsc#928718)
backend_argument should be marked secret
Work with pymongo 3.0
Speed up memcache lock
Fix up _ldap_res_to_model for ldap identity backend
Don't try to convert LDAP attributes to boolean
Fix the wrong update logic of catalog kvs driver
Do parameter check before updating endpoint_group
Correct initialization order for logging to use eventlet locks
Fix the syntax issue on creating table endpoint_group
openstack-heat:
Add env storing for loaded environments
Fix block_device_mapping property validation when using get_attr
Add default_client_name in Nova::FloatingIPAssoc
Fix cloud-init Python syntax for Python < 2.6
Allow lists and strings for Json parameters via provider resources
RandomString physical_resource_id as id not the string
Authenticate the domain user with id instead of username
Tell stevedore not to force verify requirements
Use properties.data when testing for "provided by the user"
Ship /usr/lib/heat directory in openstack-heat-engine subpackage, since that's where plugin are loaded from.
Create openstack-heat-plugin-heat_docker subpackage to ship the heat_docker plugin.
Fix update on failed stack
Enable https for keystone while creating stack user
Change the engine-listener topic
Just to delete the stack when adopt rollback
Release stack lock when successfully acquire
Add dependency on Router External Gateway property
Use only FIP dependencies from graph
Add dependency hidden on router_interface
Update heat.conf.sample
Upgrade requirements for kombu and greenlet to Juno versions (bnc#920573)
Stop patching oslo.messaging private bits
openstack-glance:
Eventlet green threads not released back to pool
Replace assert statements with proper control-flow
Fix intermittent unit test failures
Initiate deletion of image files if the import was interrupted to prevent denial of service (bnc#918784, CVE-2014-9684)
openstack-cinder:
Remove nonexistent LIO terminate_connection call
Disallow backing files when uploading volumes to image
LVM: Pass volume size in MiB to copy_volume() during volume migration
Remove iscsi_helper calls from base iscsi driver
Fix exceptions logging in iSCSI targets
Delete the temporary volume if migration fails
Get the 'consumer' in a correct way for retyping with qos-specs
Fix re-export of iscsi volume when using lioadm
Revert "Add support for customized cluster name"
Failed to discovery when iscsi multipath and CHAP both enabled
Add support for customized cluster name
Only use operational LIFs for iscsi target details
Clear migration_status from a destination volume if migration fails
Deal with PEP-0476 certificate chaining checking
openstack-ceilometer:
Ensure unique list of consumers created
Add bandwidth to measurements
Rely on VM UUID to fetch metrics in libvirt
Retry to connect database when DB2 or mongodb is restarted
Use alarm's evaluation periods in sufficient test
[MongoDB] Fix bug with reconnection to new master node
Fix the value of query_spec.maxSample to advoid to be zero
Fix issue when ceilometer-expirer is called from the wrong user via cronjob and the resulting logs end up having wrong ownership. See also bsc#930574
Metering data ttl sql backend breaks resource metadata
Stop mocking os.path in test_setup_events_default_config
Move the cron job to collector package (bnc#926596)
Catch exception when evaluate single alarm
python-oslo.utils:
Update to version 1.4.0
- Add a stopwatch + split for duration(s)
- Allow providing a logger to save_and_reraise_exception
- Utility API to generate EUI-64 IPv6 address
- Add a eventlet utils helper module
- Add microsecond support to iso8601_from_timestamp
- Update Oslo imports to remove namespace package
- Add TimeFixture
- Add microsecond support to timeutils.utcnow_ts()
python-oslo.i18n:
Update to version 1.3.1
- Remove deprecation warning (bnc#931204)
- Correct the translation domain for loading messages
- Workflow documentation is now in infra-manual
- Imported Translations from Transifex
- Activate pep8 check that _ is imported
- Make clear in docs to use _LE() when using LOG.exception()
- Support building wheels (PEP-427)
python-six:
Update to version 1.9.0
- Support the flush parameter to six.print_.
- Add the python_2_unicode_compatible decorator.
- Ensure six.wraps respects the updated and assigned arguments.
- Fix six.moves race condition in multi-threaded code.
- Add six.view(keys|values|itmes), which provide dictionary views on Python 2.7+.
- Fix add_metaclass when the class has slots containing "weakref" or "dict".
- Always accept updated and assigned arguments for wraps().
- Fix import six on Python 3.4 with a custom loader.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Cloud 5
zypper in -t patch sleclo50sp3-openstack-201507-12074=1

Package List:

SUSE Cloud 5 (x86_64)
- python-six-1.9.0-9.2
- openstack-cinder-scheduler-2014.2.4.dev19-9.7
- openstack-ceilometer-agent-notification-2014.2.4.dev18-9.7
- openstack-ceilometer-alarm-evaluator-2014.2.4.dev18-9.7
- python-ceilometer-2014.2.4.dev18-9.7
- openstack-cinder-volume-2014.2.4.dev19-9.7
- openstack-ceilometer-agent-central-2014.2.4.dev18-9.7
- python-oslotest-1.2.0-2.5
- openstack-cinder-backup-2014.2.4.dev19-9.7
- openstack-keystone-2014.2.4.dev5-11.8
- python-oslo.i18n-1.3.1-9.6
- openstack-sahara-api-2014.2.4.dev3-9.5
- python-oslo.utils-1.4.0-14.2
- openstack-heat-api-2014.2.4.dev13-9.6
- openstack-ceilometer-api-2014.2.4.dev18-9.7
- openstack-ceilometer-agent-compute-2014.2.4.dev18-9.7
- openstack-heat-2014.2.4.dev13-9.6
- openstack-sahara-engine-2014.2.4.dev3-9.5
- openstack-ceilometer-2014.2.4.dev18-9.7
- openstack-heat-api-cloudwatch-2014.2.4.dev13-9.6
- openstack-heat-engine-2014.2.4.dev13-9.6
- python-glance-2014.2.4.dev5-9.5
- python-cinder-2014.2.4.dev19-9.7
- openstack-heat-api-cfn-2014.2.4.dev13-9.6
- openstack-ceilometer-agent-ipmi-2014.2.4.dev18-9.7
- python-heat-2014.2.4.dev13-9.6
- python-sahara-2014.2.4.dev3-9.5
- openstack-ceilometer-collector-2014.2.4.dev18-9.7
- python-keystone-2014.2.4.dev5-11.8
- openstack-sahara-2014.2.4.dev3-9.5
- openstack-cinder-2014.2.4.dev19-9.7
- openstack-glance-2014.2.4.dev5-9.5
- openstack-ceilometer-alarm-notifier-2014.2.4.dev18-9.7
- openstack-cinder-api-2014.2.4.dev19-9.7
SUSE Cloud 5 (noarch)
- openstack-cinder-doc-2014.2.4.dev19-9.12
- openstack-ceilometer-doc-2014.2.4.dev18-9.11
- openstack-sahara-doc-2014.2.4.dev3-9.5
- openstack-keystone-doc-2014.2.4.dev5-11.12
- openstack-heat-doc-2014.2.4.dev13-9.8
- openstack-suse-sudo-2014.2-9.2
- openstack-glance-doc-2014.2.4.dev5-9.7

Security update for openstack and python-oslo.utils

Description:

Patch Instructions:

Package List:

References: