SUSE-RU-2020:2161-1

Description

Security update for ansible1, ardana-ansible, ardana-cobbler, ardana-glance, ardana-input-model, ardana-logging, ardana-manila, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-openstack, grafana, kibana, openstack-barbican, openstack-ceilometer, openstack-cinder, openstack-dashboard, openstack-designate, openstack-heat-templates, openstack-ironic, openstack-keystone, openstack-magnum, openstack-manila, openstack-monasca-agent, openstack-neutron, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, python-Django1, python-Pillow, python-ardana-packager, python-heatclient, python-neutron-tempest-plugin, python-octavia-tempest-plugin, python-os-brick, python-oslo.messaging, python-pyroute2, python-urllib3, python-waitress, release-notes-suse-openstack-cloud, rubygem-activeresource, rubygem-json-1_7, rubygem-puma This update for ansible1, ardana-ansible, ardana-cobbler, ardana-glance, ardana-input-model, ardana-logging, ardana-manila, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-openstack, grafana, kibana, openstack-barbican, openstack-ceilometer, openstack-cinder, openstack-dashboard, openstack-designate, openstack-heat-templates, openstack-ironic, openstack-keystone, openstack-magnum, openstack-manila, openstack-monasca-agent, openstack-neutron, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, python-Django1, python-Pillow, python-ardana-packager, python-heatclient, python-neutron-tempest-plugin, python-octavia-tempest-plugin, python-os-brick, python-oslo.messaging, python-pyroute2, python-urllib3, python-waitress, release-notes-suse-openstack-cloud, rubygem-activeresource, rubygem-json-1_7, rubygem-puma fixes the following issues: Security fixes included in this update: ansible1: - CVE-2019-3828: Fixed a path traversal in the fetch module (bsc#1126503). grafana: - CVE-2020-13379: Fixed an incorrect access control issue which could lead to information leaks or denial of service (bsc#1172409). - CVE-2020-12052: Fixed an cross site scripting vulnerability related to the annotation popup (bsc#1170657). kibana: - CVE-2020-10743: Fixed a clickjacking vulnerability (bsc#1171909). python-Django1 to 1.11.29: - CVE-2020-13254: Fixed a data leakage via malformed memcached keys (bsc#1172167). - CVE-2020-13596: Fixed a cross site scripting vulnerability related to the admin parameters of the ForeignKeyRawIdWidget (bsc#1172166). - CVE-2020-7471: Fixed a SQL injection via StringAgg delimiter (bsc#1161919). - CVE-2020-9402: Fixed a SQL injection via tolerance parameter in GIS functions and aggregates (bsc#1165022). - CVE-2019-19844: Fixed a potential account hijack via password reset form (bsc#1159447). python-Pillow: - CVE-2020-10177: Fixed multiple out-of-bounds reads in libImaging/FliDecode.c (bsc#1173413). - CVE-2020-11538: Fixed multiple out-of-bounds reads via a crafted JP2 files (bsc#1173420). - CVE-2020-10994: Fixed multiple out-of-bounds reads via a crafted JP2 files (bsc#1173418). - CVE-2020-10378: Fixed an out-of-bounds read when reading PCX files (bsc#1173416). - CVE-2019-16865: Fixed a denial of service with specially crafted image files (bsc#1153191). - CVE-2020-5311: Fixed an SGI buffer overflow (bsc#1160151). - CVE-2020-5312: Fixed a buffer overflow in the PCX P mode (bsc#1160152). - CVE-2020-5313: Fixed a buffer overflow related to FLI (bsc#1160153). - CVE-2019-19911: Fixed a denial of service in FpxImagePlugin.py (bsc#1160192). python-waitress to version 1.4.3: - CVE-2019-16785: Fixed HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: Fixed HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: Fixed HTTP Request Smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: Fixed HTTP Request Smuggling through Content-Length header handling (bsc#1161670). rubygem-activeresource: - CVE-2020-8151: Fixed possible information disclosure through specially crafted requests (bsc#1171560). Non security fixes: Changes in ansible1.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Add 0001-Disallow-use-of-remote-home-directories-containing-..patch (bsc#1126503, CVE-2019-3828) Changes in ardana-ansible.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1591138508.e269bdb: * Use internal endpoint for upload image (SOC-11294) - Update to version 9.0+git.1589740968.d339a28: * Reconfigure rabbitmq user permissions on update (SOC-11082) - Update to version 9.0+git.1588953276.b8b5512: * Fix incorrect prefix used to collect supportconfig files (bsc#1171273) Changes in ardana-cobbler.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1588181228.bae3b1f: * Ensure distro_signatures.json gets updated if needed (SOC-11249) Changes in ardana-glance.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1593631708.9354a78: * Idempotent cirros image upload to glance (SOC-11342) Changes in ardana-input-model.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1589740948.c24fc0b: * Add default rabbitmq exchange write permissions (SOC-11082) Changes in ardana-logging.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1591193994.d93b668: * kibana: set x-frame-options header (bsc#1171909) Changes in ardana-manila.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1594158642.b5905e4: * Ensure manila_upgrade_mode is initialised appropriately (SOC-11341) - Update to version 9.0+git.1593516580.6c83767: * Skip openstack-manila-share status check during upgrade (SOC-11341) Changes in ardana-monasca.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1589385256.7fbfaaf: * Fix stop start/stop logic (SOC-11209) - Update to version 9.0+git.1588610558.98958f3: * Fix monasca-thresh-wrapper status action (SOC-11209) - Update to version 9.0+git.1588343155.0e67455: * monasca-thresh restart and storm upgrade enhancements (SOC-11209) Changes in ardana-mq.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1593618110.cbd1a37: * Ensure epmd.service started/stopped independent of rabbitmq (SOC-6780) - Update to version 9.0+git.1589715197.9196f62: * Don't mirror reply queues (SOC-10317) Changes in ardana-neutron.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1590756257.e09d54f: * Update L3 rootwrap filters (SOC-11306) Changes in ardana-octavia.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1590079609.a2ae6ab: * fix octavia to glance communication over internal endpoint (SOC-11294) Changes in ardana-tempest.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1593033709.9495bb2: * load-balancer: set check timeout to 120 seconds (SOC-11330) - Update to version 9.0+git.1593010160.cb417d7: * Blacklist neutron test_snat_external_ip test (SOC-11279) - Update to version 9.0+git.1592341936.3b5ad41: * Remove blacklisted octavia test (SOC-11289) - Update to version 9.0+git.1592239656.b18289a: * Blacklist NetworkMigration tests (SOC-11279) - Update to version 9.0+git.1590429931.4fa308a: * Install only needed tempest pluguins (SOC-11297) - Update to version 9.0+git.1590164310.9e7888e: * Enable tempest shelve tests (SOC-9775) - Update to version 9.0+git.1590151267.16bddd9: * Add NetworkMigration tests back in neutron filter (SOC-11279) - Update to version 9.0+git.1589460689.e3bd243: * Enable test_delete_policies_while_tenant_attached_to_net test (SOC-9235) - Update to version 9.0+git.1589206665.aedb17d: * Blacklist some NetworkMigration tests (SOC-11279) Changes in crowbar-core.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 6.0+git.1594619891.b75a61d0d: * upgrade: Do not stop pacemaker managed apache service (SOC-11298) - Update to version 6.0+git.1593156244.533c05c01: * Ignore CVE-2020-8184 (SOC-11299) - Update to version 6.0+git.1592589539.e0cbb8c8f: * provisioner: allow tftp access from admin network only (bsc#1019111) - Update to version 6.0+git.1590650924.e7548b2ac: * Ignore latest ruby-related CVEs in the CI (SOC-11299) - Update to version 6.0+git.1589803358.48ba3f4a6: * provisioner: Fix ssh key validation (SOC-11126) - Update to version 6.0+git.1588062060.de79301bf: * upgrade: disable zypper process check temporarily (SOC-11203) Changes in crowbar-openstack.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 6.0+git.1591795073.49cb6400e: * kibana: set x-frame-options header (bsc#1171909, CVE-2020-10743) - Update to version 6.0+git.1591104467.7de344556: * Restore undeprecated nova dhcp_domain option (bsc#1171594) - Update to version 6.0+git.1590579980.5258ac04a: * tempest: Enable shelve tests when using RBD ephemeral (SOC-11176) - Update to version 6.0+git.1589957131.fcfccecc1: * galera: Make sure checks are executed without password (bsc#1136928) - Update to version 6.0+git.1589573559.3bf36a7cd: * rabbitmq: sync startup definitions.json with recipe (SOC-11077,SOC-11274) - Update to version 6.0+git.1589544034.e52fd938a: * trove: fix rabbitmq connection URL (SOC-11286) - Update to version 6.0+git.1589389407.5a306c6d3: * tempest: remove port_admin_state_change workaround (SOC-10029) - Update to version 6.0+git.1588686448.3c0060ca7: * Fix monasca libvirt ping checks (bsc#1107190) - Update to version 6.0+git.1588259003.a4e938422: * run keystone_register on cluster founder only when HA (SOC-11248) * ceilometer: Post API removal cleanup (SOC-10124) - Update to version 6.0+git.1588096476.79154bb30: * nova: run keystone_register on cluster founder only (SOC-11243) Changes in grafana.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Add CVE-2020-13379.patch * Security: fix unauthorized avatar proxying (bsc#1172409, CVE-2020-13379) - Add 0001-CVE-2020-12052-bsc1170657-XSS-annotation-popup-vulnerability.patch * Security: Fix annotation popup XSS vulnerability (bsc#1170657, CVE-2020-12052) - Add CVE-2019-15043.patch (SOC-10357, CVE-2019-15043, bsc#1148383) - Create plugin directory and clean up (create in %install, add to %files) handling of /var/lib/grafana/* and Changes in kibana.SUSE_SLE-12-SP4_Update_Products_Cloud9: - Add 0001-Configurable-custom-response-headers-for-server.patch (bsc#1171909, CVE-2020-10743) Changes in openstack-barbican.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - drop python-argparse buildrequires Changes in openstack-ceilometer.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version ceilometer-11.1.1.dev7: * [stable-only] Add confluent-kafka to test-requirements - Update to version ceilometer-11.1.1.dev6: * Temporary failures should be treated as temporary Changes in openstack-ceilometer.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version ceilometer-11.1.1.dev7: * [stable-only] Add confluent-kafka to test-requirements - Update to version ceilometer-11.1.1.dev6: * Temporary failures should be treated as temporary Changes in openstack-cinder.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version cinder-13.0.10.dev12: * Remove VxFlex OS credentials from connection\_properties - Update to version cinder-13.0.10.dev11: * [stable only] Add warning about rbd\_keyring\_conf - Update to version cinder-13.0.10.dev10: * VMAX Driver - Backport fix for Rocky and Queens Changes in openstack-cinder.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - drop obsolete python-argparse buildrequires - Update to version cinder-13.0.10.dev12: * Remove VxFlex OS credentials from connection\_properties - Update to version cinder-13.0.10.dev11: * [stable only] Add warning about rbd\_keyring\_conf - Update to version cinder-13.0.10.dev10: * VMAX Driver - Backport fix for Rocky and Queens Changes in openstack-dashboard.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version horizon-14.1.1.dev6: * Fix tenant\_id for a new port - Update to version horizon-14.1.1.dev5: * Fix .zuul.yaml syntax errors * Gate fix: use tempest-horizon 0.2.0 explicitly * Authenticate before Authorization Changes in openstack-designate.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version designate-7.0.2.dev2: * Worker should send NOTIFY also to all servers in 'also\_notifies' pool settings - Update to version designate-7.0.2.dev1: * Pin stable/rocky tempest tests to 0.7.0 tag 7.0.1 Changes in openstack-designate.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version designate-7.0.2.dev2: * Worker should send NOTIFY also to all servers in 'also\_notifies' pool settings - Update to version designate-7.0.2.dev1: * Pin stable/rocky tempest tests to 0.7.0 tag 7.0.1 Changes in openstack-heat-templates.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 0.0.0+git.1582270132.8a20477: * Drop use of git.openstack.org * Add example for running Zun container * OpenDev Migration Patch * Replace openstack.org git:// URLs with https:// * Add sample templates for Blazar * Remove docs, deprecated hooks, tests * Update the bugs link to storyboard * Add an example of OS::Mistral::ExternalResource Changes in openstack-ironic.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version ironic-11.1.5.dev6: * Fix issue where server fails to reboot - Update to version ironic-11.1.5.dev4: * Fix SpanLength calculation for DRAC RAID configuration Changes in openstack-ironic.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version ironic-11.1.5.dev6: * Fix issue where server fails to reboot - Update to version ironic-11.1.5.dev4: * Fix SpanLength calculation for DRAC RAID configuration Changes in openstack-keystone.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version keystone-14.2.1.dev4: * Fix security issues with EC2 credentials * Ensure OAuth1 authorized roles are respected - Update to version keystone-14.2.1.dev2: * Check timestamp of signed EC2 token request - Update to version keystone-14.2.1.dev1: * Add cadf auditing to credentials 14.2.0 Changes in openstack-keystone.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Remove patches (merged upstream) * 0002-Check-timestamp-of-signed-EC2-token-request.patch * 0002-Ensure-OAuth1-authorized-roles-are-respected.patch * 0002-Fix-security-issues-with-EC2-credentials.patch - Update to version keystone-14.2.1.dev4: * Fix security issues with EC2 credentials * Ensure OAuth1 authorized roles are respected - Update to version keystone-14.2.1.dev2: * Check timestamp of signed EC2 token request - Add security patches (bsc#1171070, bsc#1171071, bsc#1171072): * 0002-Check-timestamp-of-signed-EC2-token-request.patch * 0002-Ensure-OAuth1-authorized-roles-are-respected.patch * 0002-Fix-security-issues-with-EC2-credentials.patch - Update to version keystone-14.2.1.dev1: * Add cadf auditing to credentials 14.2.0 Changes in openstack-magnum.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - drop obsolete python-argparse buildrequires Changes in openstack-manila.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version manila-7.4.2.dev31: * [Unity]: Failed to delete cifs share if wrong access set - Update to version manila-7.4.2.dev29: * [devstack][ci] Move bgp setup to plugin - Update to version manila-7.4.2.dev27: * [devstack][ci] Modify firewall in ds-plugin - Update to version manila-7.4.2.dev25: * [devstack][ci] Set public network ID in tempest.conf * Make manila-tempest-plugin installation optional - Update to version manila-7.4.2.dev21: * fix bug in consume from share - Update to version manila-7.4.2.dev19: * Conditionally restore default route in setup\_ipv6 - Update to version manila-7.4.2.dev18: * [NetApp] Fix driver to honor standard extra specs * [NetApp] cDOT to set valid QoS during migration - Update to version manila-7.4.2.dev14: * Remove provisioned calculation on non thin provision backends - Update to version manila-7.4.2.dev12: * [NetApp] Fix share replica failing for 'transfer in progress' error * [NetApp] Fix share shrink error status * Delete type access list when deleting types * fix bug in quota checking * Prevent share type deletion if linked to group types Changes in openstack-manila.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - drop obsolete python-argparse buildrequires - Update to version manila-7.4.2.dev31: * [Unity]: Failed to delete cifs share if wrong access set - Update to version manila-7.4.2.dev29: * [devstack][ci] Move bgp setup to plugin - Update to version manila-7.4.2.dev27: * [devstack][ci] Modify firewall in ds-plugin - Update to version manila-7.4.2.dev25: * [devstack][ci] Set public network ID in tempest.conf * Make manila-tempest-plugin installation optional - Update to version manila-7.4.2.dev21: * fix bug in consume from share - Update to version manila-7.4.2.dev19: * Conditionally restore default route in setup\_ipv6 - Update to version manila-7.4.2.dev18: * [NetApp] Fix driver to honor standard extra specs * [NetApp] cDOT to set valid QoS during migration - Update to version manila-7.4.2.dev14: * Remove provisioned calculation on non thin provision backends - Update to version manila-7.4.2.dev12: * [NetApp] Fix share replica failing for 'transfer in progress' error * [NetApp] Fix share shrink error status * Delete type access list when deleting types * fix bug in quota checking * Prevent share type deletion if linked to group types Changes in openstack-monasca-agent.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - update to version 2.8.2~dev5 - Fix libvirt ping_checks documentation - update to version 2.8.2~dev3 - Add debug output for libvirt ping checks - Lockdown /bin/ip permissions for the monasca-agent (bsc#1107190) - add addtional arguments to /bin/ip in sudoers - Fix missing sudo privleges (bsc#1107190) - add /bin/ip and /usr/bin/ovs-vsctl to monasca-agent sudoers - update to version 2.8.2~dev2 - Remove incorrect assignment of ping_cmd to 'True' - Do not copy /sbin/ip to /usr/bin/monasa-agent-ip Changes in openstack-neutron.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version neutron-13.0.8.dev68: * [DVR] Related routers should be included if are requested - Update to version neutron-13.0.8.dev67: * [EM releases] Move non-voting jobs to the experimental queue * [OVS] Make QoS OVS agent deletion operations more resilient * Add 'igmp\_snooping\_enable' config option for OVS agent - Update to version neutron-13.0.8.dev61: * Unnecessary routers should not be created * Ensure that stale flows are cleaned from phys\_bridges * Do not block connection between br-int and br-phys on startup * Improve log message when port losts its vlan tag * [DVR] Reconfigure re-created physical bridges for dvr routers - Update to version neutron-13.0.8.dev52: * Fix rocky gates, multiple fixes - Update to version neutron-13.0.8.dev51: * Dynamically increase l3 router process queue green pool size - Update to version neutron-13.0.8.dev49: * Allow usage of legacy 3rd-party interface drivers - Update to version neutron-13.0.8.dev47: * Router synch shouldn't return unrelated routers - Update to version neutron-13.0.8.dev45: * Only notify nova of port status changes if configured - Update to version neutron-13.0.8.dev44: * Add Rocky milestone tag for alembic migration revisions - Update to version neutron-13.0.8.dev42: * Cap pycodestyle to be < 2.6.0 * Report L3 extensions enabled in the L3 agent's config - Update to version neutron-13.0.8.dev39: * Adding LOG statements to debug 1838449 - Update to version neutron-13.0.8.dev38: * Improve VLAN allocations synchronization * [L3 HA] Add 'no\_track' option to VIPs in keepalived config * Change ovs-agent iteration log level to INFO * Refactor the L3 agent batch notifier * Do not link up HA router gateway in backup node Changes in openstack-neutron.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version neutron-13.0.8.dev68: * [DVR] Related routers should be included if are requested - Add 0001-Revert-Do-not-block-connection-between-br-int-and-br.patch (LP#1887148) - Update to version neutron-13.0.8.dev67: * [EM releases] Move non-voting jobs to the experimental queue * [OVS] Make QoS OVS agent deletion operations more resilient * Add 'igmp\_snooping\_enable' config option for OVS agent - Update to version neutron-13.0.8.dev61: * Unnecessary routers should not be created * Ensure that stale flows are cleaned from phys\_bridges * Do not block connection between br-int and br-phys on startup * Improve log message when port losts its vlan tag * [DVR] Reconfigure re-created physical bridges for dvr routers - Update to version neutron-13.0.8.dev52: * Fix rocky gates, multiple fixes - Update to version neutron-13.0.8.dev51: * Dynamically increase l3 router process queue green pool size - Update to version neutron-13.0.8.dev49: * Allow usage of legacy 3rd-party interface drivers - Update to version neutron-13.0.8.dev47: * Router synch shouldn't return unrelated routers - Update to version neutron-13.0.8.dev45: * Only notify nova of port status changes if configured - Update to version neutron-13.0.8.dev44: * Add Rocky milestone tag for alembic migration revisions - Update to version neutron-13.0.8.dev42: * Cap pycodestyle to be < 2.6.0 * Report L3 extensions enabled in the L3 agent's config - Update to version neutron-13.0.8.dev39: * Adding LOG statements to debug 1838449 - Update to version neutron-13.0.8.dev38: * Improve VLAN allocations synchronization * [L3 HA] Add 'no\_track' option to VIPs in keepalived config * Change ovs-agent iteration log level to INFO * Refactor the L3 agent batch notifier * Do not link up HA router gateway in backup node Changes in openstack-neutron-vsphere.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - The networking-vsphere repo got moved from github to opendev.org. We no longer able to automatically generate changelogs from opendev.org as it doesn't provide the same API as github. We'll need to manually update it from now on. - update to version 2.0.1~dev167 - Making networking-vsphere run under Python3 - OVSvApp Security Group Changes Changes in openstack-nova.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version nova-18.3.1.dev38: * libvirt: Don't delete disks on shared storage during evacuate * Add functional test for bug 1550919 - Update to version nova-18.3.1.dev36: * Fix os\_CODENAME detection and repo refresh during ceph tests - Update to version nova-18.3.1.dev35: * Update scheduler instance info at confirm resize - Update to version nova-18.3.1.dev33: * Reproduce bug 1869050 - Update to version nova-18.3.1.dev31: * Revert 'nova shared storage: rbd is always shared storage' - Update to version nova-18.3.1.dev29: * Clean up allocation if unshelve fails due to neutron * Reset the cell cache for database access in Service * Reproduce bug 1862633 * Make RBD imagebackend flatten method idempotent - Update to version nova-18.3.1.dev21: * Add config option for neutron client retries - Update to version nova-18.3.1.dev19: * Add retry to cinder API calls related to volume detach - Update to version nova-18.3.1.dev18: * Lowercase ironic driver hash ring and ignore case in cache Changes in openstack-nova.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version nova-18.3.1.dev38: * libvirt: Don't delete disks on shared storage during evacuate * Add functional test for bug 1550919 - Update to version nova-18.3.1.dev36: * Fix os\_CODENAME detection and repo refresh during ceph tests - Update to version nova-18.3.1.dev35: * Update scheduler instance info at confirm resize - Update to version nova-18.3.1.dev33: * Reproduce bug 1869050 - Update to version nova-18.3.1.dev31: * Revert 'nova shared storage: rbd is always shared storage' - Update to version nova-18.3.1.dev29: * Clean up allocation if unshelve fails due to neutron * Reset the cell cache for database access in Service * Reproduce bug 1862633 * Make RBD imagebackend flatten method idempotent - Update to version nova-18.3.1.dev21: * Add config option for neutron client retries - Update to version nova-18.3.1.dev19: * Add retry to cinder API calls related to volume detach - Update to version nova-18.3.1.dev18: * Lowercase ironic driver hash ring and ignore case in cache Changes in openstack-octavia.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update patch for SUSE distro support * Fix osutils.py to handle secondary interfaces (SOC-11289) * Add 020-amphora-logging.conf for configuring log targets - Update to version octavia-3.2.3.dev7: * Fix the amphora noop driver * Validate resource access when creating loadbalancer or member - Update to version octavia-3.2.3.dev3: * Fix Rocky v2 scenario and grenade jobs Changes in openstack-octavia-amphora-image.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update image to 0.1.4 to include latest changes Changes in openstack-resource-agents.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 1.0+git.1569436425.8b9c49f: * Add a configurable delay to Nova Evacuate calls * OpenDev Migration Patch * NovaEvacuate: fix a syntax error * NovaEvacuate: Support the new split-out IHA fence agents with backwards compatibility * NovaEvacuate: Correctly handle stopped hypervisors * neutron-ha-tool: do not replicate dhcp * NovaCompute: Support parsing host option from /etc/nova/nova.conf.d * NovaCompute: Use variable to avoid calling crudini a second time * NovaEvacuate: Allow debug logging to be turned on easily Changes in python-Django1.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 1.11.29 (bsc#1161919, CVE-2020-7471, bsc#1165022, CVE-2020-9402, bsc#1159447, CVE-2019-19844) * Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. * Pinned PyYAML < 5.3 in test requirements. * Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter. * Fixed timezones tests for PyYAML 5.3+. * Fixed CVE-2019-19844 -- Used verified user email for password reset requests. * Fixed #31073 -- Prevented CheckboxInput.get_context() from mutating attrs. * Fixed #30826 -- Fixed crash of many JSONField lookups when one hand side is key transform. * Fixed #30769 -- Fixed a crash when filtering against a subquery JSON/HStoreField annotation. - Security fixes (bsc#1172167, bsc#1172166, CVE-2020-13254, CVE-2020-13596) * Added patch CVE-2020-13254.patch * Added patch CVE-2020-13596.patch Changes in python-Pillow.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Add 010-Fix-OOB-reads-in-FLI-decoding.patch * From upstream, backported * Fixes CVE-2020-10177, bsc#1173413 - Add 011-Fix-buffer-overflow-in-SGI-RLE-decoding.patch * From upstream, backported * Fixes CVE-2020-11538, bsc#1173420 - Add 012-Fix-bounds-overflow-in-JPEG-2000-decoding.patch * From upstream, backported * Fixes CVE-2020-10994, bsc#1173418 - Add 013-Fix-bounds-overflow-in-PCX-decoding.patch * From upstream, backported * Fixes CVE-2020-10378, bsc#1173416 - Remove decompression_bomb.gif and relevant test case to avoid ClamAV scan alerts during build - Add 001-Corrected-negative-seeks.patch * From upstream, backported * Fixes part of CVE-2019-16865, bsc#1153191 - Add 002-Added-decompression-bomb-checks.patch * From upstream, backported * Fixes part of CVE-2019-16865, bsc#1153191 - Add 003-Raise-error-if-dimension-is-a-string.patch * From upstream, backported * Fixes part of CVE-2019-16865, bsc#1153191 - Add 004-Catch-buffer-overruns.patch * From upstream, backported * Fixes part of CVE-2019-16865, bsc#1153191 - Add 005-Catch-PCX-P-mode-buffer-overrun.patch * From upstream, backported * Fixes CVE-2020-5312, bsc#1160152 - Add 006-Catch-SGI-buffer-overruns.patch * From upstream, backported * Fixes CVE-2020-5311, bsc#1160151 - Add 007-Ensure-previous-FLI-frame-is-loaded.patch * From upstream, backported * Fixes https://github.com/python-pillow/Pillow/issues/2649 * Uncovers CVE-2020-5313, bsc#1160153 - Add 008-Catch-FLI-buffer-overrun.patch * From upstream, backported * Fixes CVE-2020-5313, bsc#1160153 - Add 009-Invalid-number-of-bands-in-FPX-image.patch * From upstream, backported * Fixes CVE-2019-19911, bsc#1160192 Changes in python-ardana-packager.SUSE_SLE-12-SP4_Update_Products_Cloud9: - fetch updated nova_host_aggregate from git - Add missing novaclient required domain entries (bsc#1174006) - update from git repo - Add missing novaclient required domain entries (bsc#1174006) Changes in python-heatclient.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - update to version 1.16.3 - Replace openstack.org git:// URLs with https:// - OpenDev Migration Patch Changes in python-neutron-tempest-plugin.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - added 0002-Ensure-that-external-network-dont-have-any-ports-before-deletion.patch Changes in python-octavia-tempest-plugin.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Fix broken compile options for httpd.bin Changes in python-os-brick.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Apply patches to resolve CVE-2020-10755 (bsc#1172522) - 0001-Remove-VxFlex-OS-credentials-from-connection_propert.patch - 0002-Fix-Remove-VxFlex-OS-credentials-regression.patch Changes in python-oslo.messaging.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - added 0001-Use-default-exchange-for-direct-messaging.patch (SOC-11082, SOC-11274, bsc#1159046) Changes in python-pyroute2.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - update to 0.5.2 * ndb: read-only DB prototype * remote: support communication via stdio * general: fix async keyword -- Python 3.7 compatibility * <https://github.com/svinota/pyroute2/issues/467> * <https://bugzilla.redhat.com/show_bug.cgi?id=1583800> * iproute: support monitoring on BSD systems via PF_ROUTE * rtnl: support for SQL schema in message classes * nl80211: improvements * <https://github.com/svinota/pyroute2/issues/512> * <https://github.com/svinota/pyroute2/issues/514> * <https://github.com/svinota/pyroute2/issues/515> * netlink: support generators - update to 0.5.1 * ipdb: #310 -- route keying fix * ipdb: #483, #484 -- callback internals change * ipdb: #499 -- eventloop interface * ipdb: #500 -- fix non-default :: routes * netns: #448 -- API change: setns() doesn't remove FD * netns: #504 -- fix resource leakage * bsd: initial commits - update to 0.5.0 * ACHTUNG: ipdb commit logic is changed * ipdb: do not drop failed transactions * ipdb: #388 -- normalize IPv6 addresses * ipdb: #391 -- support both IPv4 and IPv6 default routes * ipdb: #392 -- fix MPLS route key reference * ipdb: #394 -- correctly work with route priorities * ipdb: #408 -- fix IPv6 routes in tables >= 256 * ipdb: #416 -- fix VRF interfaces creation * ipset: multiple improvements * tuntap: #469 -- support s390x arch * nlsocket: #443 -- fix socket methods resolve order for Python2 * netns: non-destructive `netns.create()` Changes in python-urllib3.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Skip test_source_address_error as we raise different error with fixes that we provide in new python2/3 - Update python-urllib3-recent-date.patch to have RECENT_DATE within the needed boundaries for the test suite. Changes in python-waitress.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - update to 1.4.3 to include fixes for: * CVE-2019-16785 / bsc#1161088 * CVE-2019-16786 / bsc#1161089 * CVE-2019-16789 / bsc#1160790 * CVE-2019-16792 / bsc#1161670 - make sure UTF8 locale is used when runnning tests * Sometimes functional tests executed in python3 failed if stdout was not set to UTF-8. The error message was: ValueError: underlying buffer has been detached - %python3_only -> %python_alternative - update to 1.4.3 * Waitress did not properly validate that the HTTP headers it received were properly formed, thereby potentially allowing a front-end server to treat a request different from Waitress. This could lead to HTTP request smuggling/splitting. - drop patch local-intersphinx-inventories.patch * it was commented out, anyway - update to 1.4.0: - Waitress used to slam the door shut on HTTP pipelined requests without setting the ``Connection: close`` header as appropriate in the response. This is of course not very friendly. Waitress now explicitly sets the header when responding with an internally generated error such as 400 Bad Request or 500 Internal Server Error to notify the remote client that it will be closing the connection after the response is sent. - Waitress no longer allows any spaces to exist between the header field-name and the colon. While waitress did not strip the space and thereby was not vulnerable to any potential header field-name confusion, it should have sent back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273 - CRLR handling Security fixes - update to 1.3.1 * Waitress won’t accidentally throw away part of the path if it starts with a double slash - version update to 1.3.0 Deprecations ~~~~~~~~~~~~ - The ``send_bytes`` adjustment now defaults to ``1`` and is deprecated pending removal in a future release. and https://github.com/Pylons/waitress/pull/246 Features ~~~~~~~~ - Add a new ``outbuf_high_watermark`` adjustment which is used to apply backpressure on the ``app_iter`` to avoid letting it spin faster than data can be written to the socket. This stabilizes responses that iterate quickly with a lot of data. See https://github.com/Pylons/waitress/pull/242 - Stop early and close the ``app_iter`` when attempting to write to a closed socket due to a client disconnect. This should notify a long-lived streaming response when a client hangs up. See https://github.com/Pylons/waitress/pull/238 and https://github.com/Pylons/waitress/pull/240 and https://github.com/Pylons/waitress/pull/241 - Adjust the flush to output ``SO_SNDBUF`` bytes instead of whatever was set in the ``send_bytes`` adjustment. ``send_bytes`` now only controls how much waitress will buffer internally before flushing to the kernel, whereas previously it used to also throttle how much data was sent to the kernel. This change enables a streaming ``app_iter`` containing small chunks to still be flushed efficiently. See https://github.com/Pylons/waitress/pull/246 Bugfixes ~~~~~~~~ - Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will no longer set the version to the string value 'None'. See https://github.com/Pylons/waitress/pull/252 and https://github.com/Pylons/waitress/issues/110 - When a client closes a socket unexpectedly there was potential for memory leaks in which data was written to the buffers after they were closed, causing them to reopen. See https://github.com/Pylons/waitress/pull/239 - Fix the queue depth warnings to only show when all threads are busy. See https://github.com/Pylons/waitress/pull/243 and https://github.com/Pylons/waitress/pull/247 - Trigger the ``app_iter`` to close as part of shutdown. This will only be noticeable for users of the internal server api. In more typical operations the server will die before benefiting from these changes. See https://github.com/Pylons/waitress/pull/245 - Fix a bug in which a streaming ``app_iter`` may never cleanup data that has already been sent. This would cause buffers in waitress to grow without bounds. These buffers now properly rotate and release their data. See https://github.com/Pylons/waitress/pull/242 - Fix a bug in which non-seekable subclasses of ``io.IOBase`` would trigger an exception when passed to the ``wsgi.file_wrapper`` callback. See https://github.com/Pylons/waitress/pull/249 - Trim marketing wording and other platform mentions. - Add fetch-intersphinx-inventories.sh to sources - Add local-intersphinx-inventories.patch for generating the docs correctly - update to version 1.2.1: too many changes to list here, see: https://github.com/Pylons/waitress/blob/master/CHANGES.txt or even: https://github.com/Pylons/waitress/commits/master - Remove superfluous devel dependency for noarch package Changes in rubygem-activeresource.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Add bsc#1171560-CVE-2020-8151-encode-id-param.patch Prevent possible information disclosure issue that could allow an attacker to create specially crafted requests to access data in an unexpected way (bsc#1171560 CVE-2020-8151))_ Changes in rubygem-json-1_7.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Add CVE-2020-10663.patch (CVE-2020-10663, bsc#1167244) Changes in rubygem-puma.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Fix indentation in gem2rpm.yml_ - Add CVE-2020-11077.patch (bsc#1172175, CVE-2020-11077) - Add chunked-request-handling.patch (needed for CVE-2020-11076.patch) - Add CVE-2020-11076.patch (bsc#1172176, CVE-2020-11076) - Add all patches to gem2rpm.yml Changes in release-notes-suse-openstack-cloud.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.20200610: * Terraform support validation release note added (SOC-11314) - Update to version 9.20200504: * language change for accuracy - MANAGEMENT network group (SOC-10106) * add limitation about MANAGEMENT network group (SOC-10106) - Update to version 9.20200429: * Mark identity api v2 as deprecated (bsc#1163446) - Update to version 9.20200428: * Update release notes to indicate Octavia support has shipped (SOC-11241)

Affected Systems

• suse•ansible1&distro=SUSE OpenStack Cloud 9

  < 1.9.6-9.7.2

• suse•ardana-ansible&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1591138508.e269bdb-3.22.2

• suse•ardana-cobbler&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1588181228.bae3b1f-3.13.2

• suse•ardana-glance&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1593631708.9354a78-3.13.2

• suse•ardana-input-model&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1589740948.c24fc0b-3.19.2

• suse•ardana-logging&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1591193994.d93b668-3.13.2

• suse•ardana-manila&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1594158642.b5905e4-3.12.2

• suse•ardana-monasca&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1589385256.7fbfaaf-3.19.2

• suse•ardana-mq&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1593618110.cbd1a37-3.16.2

• suse•ardana-neutron&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1590756257.e09d54f-3.22.2

• suse•ardana-octavia&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1590079609.a2ae6ab-3.19.2

• suse•ardana-tempest&distro=SUSE OpenStack Cloud 9

  < 9.0+git.1593033709.9495bb2-3.16.2

• suse•crowbar-core&distro=SUSE OpenStack Cloud Crowbar 9

  < 6.0+git.1594619891.b75a61d0d-3.25.5

• suse•crowbar-openstack&distro=SUSE OpenStack Cloud Crowbar 9

  < 6.0+git.1591795073.49cb6400e-3.25.3

• suse•grafana&distro=SUSE OpenStack Cloud 9

  < 6.2.5-3.12.2

• suse•grafana&distro=SUSE OpenStack Cloud Crowbar 9

  < 6.2.5-3.12.2

• suse•kibana&distro=SUSE OpenStack Cloud 9

  < 4.6.3-4.3.2

• suse•kibana&distro=SUSE OpenStack Cloud Crowbar 9

  < 4.6.3-4.3.2

• suse•openstack-barbican&distro=SUSE OpenStack Cloud 9

  < 7.0.1~dev24-3.9.5

• suse•openstack-barbican&distro=SUSE OpenStack Cloud Crowbar 9

  < 7.0.1~dev24-3.9.5

• suse•openstack-ceilometer&distro=SUSE OpenStack Cloud 9

  < 11.1.1~dev7-3.16.3

• suse•openstack-ceilometer&distro=SUSE OpenStack Cloud Crowbar 9

  < 11.1.1~dev7-3.16.3

• suse•openstack-cinder&distro=SUSE OpenStack Cloud 9

  < 13.0.10~dev12-3.22.4

• suse•openstack-cinder&distro=SUSE OpenStack Cloud Crowbar 9

  < 13.0.10~dev12-3.22.4

• suse•openstack-dashboard&distro=SUSE OpenStack Cloud 9

  < 14.1.1~dev6-3.15.5

• suse•openstack-dashboard&distro=SUSE OpenStack Cloud Crowbar 9

  < 14.1.1~dev6-3.15.5

• suse•openstack-designate&distro=SUSE OpenStack Cloud 9

  < 7.0.2~dev2-3.19.3

• suse•openstack-designate&distro=SUSE OpenStack Cloud Crowbar 9

  < 7.0.2~dev2-3.19.3

• suse•openstack-heat-templates&distro=SUSE OpenStack Cloud 9

  < 0.0.0+git.1582270132.8a20477-3.6.2

• suse•openstack-heat-templates&distro=SUSE OpenStack Cloud Crowbar 9

  < 0.0.0+git.1582270132.8a20477-3.6.2

• suse•openstack-ironic&distro=SUSE OpenStack Cloud 9

  < 11.1.5~dev6-3.19.3

• suse•openstack-ironic&distro=SUSE OpenStack Cloud Crowbar 9

  < 11.1.5~dev6-3.19.3

• suse•openstack-keystone&distro=SUSE OpenStack Cloud 9

  < 14.2.1~dev4-3.22.3

• suse•openstack-keystone&distro=SUSE OpenStack Cloud Crowbar 9

  < 14.2.1~dev4-3.22.3

• suse•openstack-magnum&distro=SUSE OpenStack Cloud 9

  < 7.2.1~dev1-3.13.3

• suse•openstack-magnum&distro=SUSE OpenStack Cloud Crowbar 9

  < 7.2.1~dev1-3.13.3

• suse•openstack-manila&distro=SUSE OpenStack Cloud 9

  < 7.4.2~dev31-4.24.3

• suse•openstack-manila&distro=SUSE OpenStack Cloud Crowbar 9

  < 7.4.2~dev31-4.24.3

• suse•openstack-monasca-agent&distro=SUSE OpenStack Cloud 9

  < 2.8.2~dev5-3.9.3

• suse•openstack-monasca-agent&distro=SUSE OpenStack Cloud Crowbar 9

  < 2.8.2~dev5-3.9.3

• suse•openstack-neutron-vsphere&distro=SUSE OpenStack Cloud 9

  < 2.0.1~dev167-3.3.3

• suse•openstack-neutron-vsphere&distro=SUSE OpenStack Cloud Crowbar 9

  < 2.0.1~dev167-3.3.3

• suse•openstack-neutron&distro=SUSE OpenStack Cloud 9

  < 13.0.8~dev68-3.25.3

• suse•openstack-neutron&distro=SUSE OpenStack Cloud Crowbar 9

  < 13.0.8~dev68-3.25.3

• suse•openstack-nova&distro=SUSE OpenStack Cloud 9

  < 18.3.1~dev38-3.25.4

• suse•openstack-nova&distro=SUSE OpenStack Cloud Crowbar 9

  < 18.3.1~dev38-3.25.4

• suse•openstack-octavia-amphora-image&distro=SUSE OpenStack Cloud 9

  < 0.1.4-7.12.3

• suse•openstack-octavia-amphora-image&distro=SUSE OpenStack Cloud Crowbar 9

  < 0.1.4-7.12.3

• suse•openstack-octavia&distro=SUSE OpenStack Cloud 9

  < 3.2.3~dev7-3.25.3

• suse•openstack-octavia&distro=SUSE OpenStack Cloud Crowbar 9

  < 3.2.3~dev7-3.25.3

Showing first 50 affected entries in server-rendered view.

References (59)

• https://www.suse.com/support/update/announcement/-2020-2161/suse-ru-20202161-1/
• https://bugzilla.suse.com/1019111
• https://bugzilla.suse.com/1107190
• https://bugzilla.suse.com/1126503
• https://bugzilla.suse.com/1136928
• https://bugzilla.suse.com/1153191
• https://bugzilla.suse.com/1159046
• https://bugzilla.suse.com/1159447
• https://bugzilla.suse.com/1160151
• https://bugzilla.suse.com/1160152
• https://bugzilla.suse.com/1160153
• https://bugzilla.suse.com/1160192
• https://bugzilla.suse.com/1160790
• https://bugzilla.suse.com/1161088
• https://bugzilla.suse.com/1161089
• https://bugzilla.suse.com/1161670
• https://bugzilla.suse.com/1161919
• https://bugzilla.suse.com/1163446
• https://bugzilla.suse.com/1165022
• https://bugzilla.suse.com/1170657
• https://bugzilla.suse.com/1171070
• https://bugzilla.suse.com/1171071
• https://bugzilla.suse.com/1171072
• https://bugzilla.suse.com/1171273
• https://bugzilla.suse.com/1171594
• https://bugzilla.suse.com/1171909
• https://bugzilla.suse.com/1172166
• https://bugzilla.suse.com/1172167
• https://bugzilla.suse.com/1172409
• https://bugzilla.suse.com/1172522
• https://bugzilla.suse.com/1173413
• https://bugzilla.suse.com/1173416
• https://bugzilla.suse.com/1173418
• https://bugzilla.suse.com/1173420
• https://bugzilla.suse.com/1174006
• https://www.suse.com/security/cve/CVE-2019-16785
• https://www.suse.com/security/cve/CVE-2019-16786
• https://www.suse.com/security/cve/CVE-2019-16789
• https://www.suse.com/security/cve/CVE-2019-16792
• https://www.suse.com/security/cve/CVE-2019-16865
• https://www.suse.com/security/cve/CVE-2019-19844
• https://www.suse.com/security/cve/CVE-2019-19911
• https://www.suse.com/security/cve/CVE-2019-3828
• https://www.suse.com/security/cve/CVE-2020-10177
• https://www.suse.com/security/cve/CVE-2020-10378
• https://www.suse.com/security/cve/CVE-2020-10743
• https://www.suse.com/security/cve/CVE-2020-10755
• https://www.suse.com/security/cve/CVE-2020-10994
• https://www.suse.com/security/cve/CVE-2020-11538
• https://www.suse.com/security/cve/CVE-2020-12052
• https://www.suse.com/security/cve/CVE-2020-13254
• https://www.suse.com/security/cve/CVE-2020-13379
• https://www.suse.com/security/cve/CVE-2020-13596
• https://www.suse.com/security/cve/CVE-2020-5311
• https://www.suse.com/security/cve/CVE-2020-5312
• https://www.suse.com/security/cve/CVE-2020-5313
• https://www.suse.com/security/cve/CVE-2020-7471
• https://www.suse.com/security/cve/CVE-2020-8184
• https://www.suse.com/security/cve/CVE-2020-9402