SUSE-SU-2020:0640-1

Description

Security update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-networking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-pumavenv-openstack-swift This update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-networking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-puma, venv-openstack-swift fixes the following issues: Security issues fixed: The update of rubygem-crowbar-client, rubygem-puma fixes the following security issues: - CVE-2018-17954: Fixed an issue where crowbar was leaking the secret admin passwords to all nodes (bsc#1117080). - CVE-2019-16770: Fixed a denial-of-service vulnerability that was exploitable by clients sending extraneous keepalive requests (bsc#1158675). The update of mariadb to 10.2.29 fixes several security issues: - CVE-2020-2574: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388). - CVE-2019-18901: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388). - CVE-2017-1002201: Fixed an issue where special characters did not escpae properly (bsc#1155089) - CVE-2019-2737, CVE-2019-2739, CVE-2019-2740, CVE-2019-2758, CVE-2019-2805, CVE-2019-2938, CVE-2019-2974: Fixed an issue where could lead a remote attacker to cause denial of service (bsc#1156669) Non-security issues fixed: Changes in ardana-cinder: - Update to version 8.0+git.1579279939.ee7da88: * Add option to flatten snapshots when using SES (SOC-11054) - Update to version 8.0+git.1571846011.1a2f62b: * SCRD-4764 move v2.0 endpoints to v3 (SOC-9753) Changes in ardana-cobbler: - Update to version 8.0+git.1575037115.0326803: * Set root device on SLES autoyast templates (SOC-7365) Changes in ardana-designate: - Update to version 8.0+git.1573597788.15b7984: * Update gerrit location (SOC-9140) Changes in ardana-extensions-example: - Switch to new Gerrit Server - Update to version 8.0+git.1534266307.db1ec28: * SCPL-409 Fix .gitreview for stable/pike Changes in ardana-extensions-nsx: - Update to version 8.0+git.1567529036.a41a037: * Update policy json templates for vmware-nsx (SOC-10254) - Switch to new Gerrit Server Changes in ardana-glance: - Update to version 8.0+git.1571846045.ab9e3ea: * SCRD-4764 move v2.0 endpoints to v3 (SOC-9753) Changes in ardana-heat: - Update to version 8.0+git.1571777596.14dce6a: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in ardana-input-model: - Update to version 8.0+git.1582147997.b9ed134: * Enable port security extension neutron (SOC-11027) - Update to version 8.0+git.1573658751.38e822a: * Move manila share to controller (SOC-10938) Changes in ardana-ironic: - Update to version 8.0+git.1571845225.006843d: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in ardana-keystone: - Update to version 8.0+git.1573147067.09e3ea0: * enable debug and insecure_debug on demand (SOC-10934) Changes in ardana-logging: - Update to version 8.0+git.1572452293.e65d714: * use correct Keystone v3 params bsc#1117840 (SOC-9753) Changes in ardana-monasca: - Update to version 8.0+git.1572527728.9b34bdf: * use correct Keystone v3 params bsc#1117840 (SOC-9753) * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in ardana-monasca-transform: - Update to version 8.0+git.1571845965.97714fb: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in ardana-mq: - Update to version 8.0+git.1581024906.fbf0be3: * Ensure HA queue sync wait fails (SOC-11083) * Fix HA policy setting comments (SOC-10317, SOC-11082) - Update to version 8.0+git.1580853688.4e72fc1: * Set HA policy accordingly (SOC-10317, SOC-11082) - Update to version 8.0+git.1579014733.a855e3a: * Change the HA policy mirror (SOC-10317) Changes in ardana-neutron: - Update to version 8.0+git.1573050365.ff6fa06: * Kill dhclient before restarting neutron-openvswitch-agent (SOC-9230) - Update to version 8.0+git.1571846086.19cb7eb: * SCRD-4764 move v2.0 endpoints to v3 (SOC-9753) Changes in ardana-nova: - Update to version 8.0+git.1571846125.584d988: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in ardana-octavia: - Update to version 8.0+git.1575642049.1f321d0: * Change event_streamer_driver to noop (bsc#1154235) Changes in ardana-osconfig: - Update to version 8.0+git.1581015942.2d21e63: * Adjust 'fs.inotify.max_user_instances' to align with crowbar (bsc#1161351) - Update to version 8.0+git.1580469528.0ac2a8b: * Start OVS services before wicked service at boot (SOC-11067) Changes in ardana-tempest: - Update to version 8.0+git.1579261264.7dd213a: * Create network resources needed by some heat tests (SOC-7028) - Update to version 8.0+git.1573571182.8fa9823: * Restrore designate test (SOC-9753) - Update to version 8.0+git.1571846164.6279bc0: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in crowbar-core: - Update to version 5.0+git.1582968668.1a55c77c5: * Ignore CVE-2020-7595 in CI (bsc#1161517) - Update to version 5.0+git.1582543433.f71d39544: * Fix deployment queue display (SOC-10741) - Update to version 5.0+git.1580209640.80f2ba3d9: * network: start OVS before wickedd (SOC-11067) - Update to version 5.0+git.1579705862.220974047: * dns: add checks to designate migration (SOC-11047) - Update to version 5.0+git.1579271614.eac1c490c: * upgrade: Add the upgrade menu entry (SOC-11053) * upgrade: Fix upgrade link (SOC-11053) - Update to version 5.0+git.1578989446.a2d23b7e1: * Do not log an error for a case that is correct (trivial) - Update to version 5.0+git.1578472131.b88a31055: * apache2: Restart after enabling SSL flag (SOC-11029) - Update to version 5.0+git.1578295229.96952deab: * Avoid nil crash when provisioner attributes are not set (bsc#1160048) - Update to version 5.0+git.1578063264.d0223905b: * Ignore CVE-2019-16770 (SOC-10999) - Update to version 5.0+git.1576053049.a2f4c9820: * upgrade: Remove DRBD specific code from the preparation parts (SOC-10985) - Update to version 5.0+git.1575020613.fc167f4dc: * List XEN nodes when failing precheck (trivial) - Update to version 5.0+git.1574763025.0a6957f37: * Disable installation repository (bsc#1152007) * Disable automatic repo services (bsc#1152007) * Designate: Don't add the admin node to the public network (SOC-10658) - Update to version 5.0+git.1574715523.ee8e58f4b: * upgrade: Check the result after commiting proposal (noref) * upgrade: Do not try to disable services that might not exist (noref) - Update to version 5.0+git.1574667034.76644f658: * [upgrade] Remove existing upgrade directories from nodes (SOC-10956) - Update to version 5.0+git.1574348992.88de970a6: * [upgrade] Wait for keystone to be ready after start (bsc#1157206) - Update to version 5.0+git.1574270784.294f0e830: * upgrade: Ignore Cloud repository during repocheck (bsc#1152007) - Update to version 5.0+git.1574165163.52870c62e: * [upgrade] Call finalize_nodes_upgrade at the very end (bsc#1155942) - Update to version 5.0+git.1574103089.1fbb5a51d: * Ignore CVE-2019-13117 in CI builds (bsc#1157028) * upgrade: Make the time before next upgrade configurable (SOC-10955) * upgrade: Make sure cinder-volume is really stopped (bsc#1156305) - Update to version 5.0+git.1573110008.449237f0d: * Allow pacemaker remotes for upgrade (SOC-10133) * upgrade: Precheck for unsaved proposals (SOC-10912) - Update to version 5.0+git.1572880575.4a6efa3a1: * upgrade: Add a precheck for XEN compute nodes presence (SOC-10495) * upgrade: Reload repo config in repochecks (SOC-10718) - Update to version 5.0+git.1572097431.519baa552: * Ignore CVE-2017-1002201 in CI builds (bsc#1155089) - Update to version 5.0+git.1571210032.8648ab99c: * Revert 'Use block-migration when needed' (SOC-10133) Changes in crowbar-ha: - Update to version 5.0+git.1574286229.e0364c3: * Drop g-haproxy location before group deletion (bsc#1156914) Changes in crowbar-openstack: - Update to version 5.0+git.1582911795.5081ef1da: * designate: Mark as user managed (SOC-10233) * Designate: make sure dns-server is active on a non-admin node (SOC-10636) - Update to version 5.0+git.1580549331.ba1e1a0a3: * [5.0] ec2-api: run keystone_register on cluster founder only (SOC-11079) - Update to version 5.0+git.1579182968.f54cfa8f5: * tempest: tempest run filters as templates (SOC-11052) - Update to version 5.0+git.1578515319.fdab3a0b2: * Install openstack client for neutron recipes (SOC-11039) - Update to version 5.0+git.1576764142.8efe58655: * Do not read data from barclamp that has not been saved (SOC-11028) - Update to version 5.0+git.1576666547.b7a0b8814: * Revert 'Octavia: Hide UI until complete (SOC-10550)' - Update to version 5.0+git.1576250115.67b80cbca: * [5.0] tempest: Update default image on schema (SOC-11023) - Update to version 5.0+git.1576078873.ecc798ffe: * neutron: Revert remove .openrc creation from neutron cookbooks (SOC-10378) * keystone: Add OS_INTERFACE env var to .openrc (SOC-11006) - Update to version 5.0+git.1574927541.694ac3863: * designate: move keystone resource lookup to convergence (SOC-10887) - Update to version 5.0+git.1574769056.07a7c373e: * designate: declare all mdns servers as master on pool config (SOC-10952) * designate: add support for SSL (SOC-10877) * designate: change default configuration (SOC-10899) - Update to version 5.0+git.1574421761.ace345683: * Add tempest filter for designate (SOC-10288) - Update to version 5.0+git.1574359417.113b616b2: * horizon: install lbaas horizon dashboard (SOC-10883) - Update to version 5.0+git.1572937880.ffb86e88b: * Make sure the input file with ssh key exists (SOC-10133) - Update to version 5.0+git.1571764038.ad48726d6: * mysql: fix WSREP sync race (SOC-10717) * mysql: stop service for mysql_install_db (SOC-10717) * Do not use obsoleted --endpoint-type option with CLI - Update to version 5.0+git.1571323259.7402ef5eb: * [5.0] Tempest: blacklist test_volume_boot_pattern (SOC-10874) - Update to version 5.0+git.1571241534.f4af21325: * rabbitmq: fix migration 200 (SOC-10623) * Fix Cloud 8 no-op migrations (SOC-10623) * neutron-lbaas: remove loadbalancer/pool limit * [5.0] Configurable timeout for Galera pre-sync - Update to version 5.0+git.1571138324.edb9e8b56: * horizon: tighten check for existence of monasca while deploying grafana * monasca: improve detection if monasca-server is available * monasca: install agent before run setup monitors in server * Monasca: Handle node reinstall (jsc#SOC-10440, bsc#1148158 ) - Update to version 5.0+git.1570618886.06022a6ef: * glance: Set barbican auth endpoint (bsc#1123191, SOC-10844) * tempest: Add barbican run_filters from ardana (SOC-10844) * Fix nova tempest tests (SOC-9298, SOC-10844) - Update to version 5.0+git.1570505588.4bdc5aa6f: * No rndc key if no public DNS server (SOC-10835) Changes in crowbar-ui: - Update to version 1.2.0+git.1575896697.a01a3a08: * upgrade: Added missing error title * travis: Stop testing against nodejs4 - Update to version 1.2.0+git.1572871359.50fc6087: * Add title for XEN compute nodes precheck (SOC-10495) Changes in keepalived: - update to 2.0.19 - new BR pkgconfig(libnftnl) to fix nftables support - add nftables to the BR - added patch * linux-4.15.patch - add buildrequires for file-devel - used in the checker to verify scripts - enable json stats and config dump support new BR: pkgconfig(json-c) - enable http regexp support: new BR pcre2-devel - disable dbus instance creation support as it is marked as dangerous - Add BFD build option to keepalived.spec rpm file Issue #1114 identified that the keepalived.spec file was not being generated to build BFD support even if keepalived had been configured to support it. - full changelog https://keepalived.org/changelog.html Changes in mariadb: - update to 10.2.31 GA [bsc#1162388] * Fixes for the following security vulnerabilities: * 10.2.31: CVE-2020-2574 * 10.2.30: none * release notes and changelog: https://mariadb.com/kb/en/library/mariadb-10231-release-notes https://mariadb.com/kb/en/library/mariadb-10231-changelog https://mariadb.com/kb/en/library/mariadb-10230-release-notes https://mariadb.com/kb/en/library/mariadb-10230-changelog - refresh mariadb-10.1.12-deharcode-libdir.patch - remove mariadb-10.2.29-bufferoverflowstrncat.patch (upstreamed) - pack pam_user_map.so module in the /%{_lib}/security directory and user_map.conf configuration file in the /etc/security directory - fix race condition with mysql_upgrade_info status file by moving it to the location owned by root (/var/lib/misc) CVE-2019-18901 [bsc#1160895] - move .run-mysql_upgrade file from $datadir/.run-mysql_upgrade to /var/lib/misc/.mariadb_run_upgrade so the mysql user can't use it for a symlink attack [bsc#1160912] - on BTRFS systems /var/lib/mysql is created as a subvolume with 755 permissions during the system installaion. Fix it to 700 as mysql_install_db doesn't do it [bsc#1077717] - add important options to mariadb.service and mariadb@.service (ProtectSystem, ProtectHome and UMask) [bsc#1160878] - mysql-systemd-helper: use systemd-tmpfiles instead of shell script operations for a cleaner and safer creating of /run/mysql [bsc#1160883] - update to 10.2.29 GA * Fixes for the following security vulnerabilities: * 10.2.29: none * 10.2.28: CVE-2019-2974, CVE-2019-2938 * 10.2.27: none * 10.2.26: CVE-2019-2805, CVE-2019-2740, CVE-2019-2739, CVE-2019-2737, CVE-2019-2758 * release notes and changelog: https://mariadb.com/kb/en/library/mariadb-10229-release-notes https://mariadb.com/kb/en/library/mariadb-10229-changelog https://mariadb.com/kb/en/library/mariadb-10228-release-notes https://mariadb.com/kb/en/library/mariadb-10228-changelog https://mariadb.com/kb/en/library/mariadb-10227-release-notes https://mariadb.com/kb/en/library/mariadb-10227-changelog https://mariadb.com/kb/en/library/mariadb-10226-release-notes https://mariadb.com/kb/en/library/mariadb-10226-changelog - refresh mariadb-10.0.15-logrotate-su.patch mariadb-10.2.4-logrotate.patch - add mariadb-10.2.29-bufferoverflowstrncat.patch to fix 'Statement might be overflowing a buffer in strncat' error - tracker bug [bsc#1156669] - add main.gis_notembedded to the skipped tests (fails when latin1 is not set) Changes in openstack-cinder: - Update to version cinder-11.2.3.dev23: * Fix handling of 'cinder\_encryption\_key\_id' image metadata - Update to version cinder-11.2.3.dev21: * Add retry to LVM deactivation - Update to version cinder-11.2.3.dev19: * Fix ceph: only close rbd image after snapshot iteration is finished - Update to version cinder-11.2.3.dev17: * Exclude disabled API versions from listing Changes in openstack-cinder: - Update to version cinder-11.2.3.dev23: * Fix handling of 'cinder\_encryption\_key\_id' image metadata - Update to version cinder-11.2.3.dev21: * Add retry to LVM deactivation - Update to version cinder-11.2.3.dev19: * Fix ceph: only close rbd image after snapshot iteration is finished - Update to version cinder-11.2.3.dev17: * Exclude disabled API versions from listing Changes in openstack-dashboard: - Update to version horizon-12.0.5.dev2: * Use python 2.7 as the default interpreter in tox * OpenDev Migration Patch 12.0.4 Changes in openstack-dashboard-theme-SUSE: - Update to version 2017.2+git.1573629528.6b21fa5: * SCRD-7984 fixed help links Changes in openstack-heat: - Update to version heat-9.0.8.dev22: * Do deepcopy when copying templates - Update to version heat-9.0.8.dev21: * Set stack.thread\_group\_mgr for cancel\_update * Eliminate client race condition in convergence delete * Delete snapshots using contemporary resources - Update to version heat-9.0.8.dev15: * Unskip StackSnapshotRestoreTest - Update to version heat-9.0.8.dev14: * Fix translate tenants in flavor Changes in openstack-heat: - Update to version heat-9.0.8.dev22: * Do deepcopy when copying templates - Update to version heat-9.0.8.dev21: * Set stack.thread\_group\_mgr for cancel\_update * Eliminate client race condition in convergence delete * Delete snapshots using contemporary resources - Update to version heat-9.0.8.dev15: * Unskip StackSnapshotRestoreTest - Update to version heat-9.0.8.dev14: * Fix translate tenants in flavor Changes in openstack-heat-templates: - Update to version 0.0.0+git.1560033670.e3b5a52: * Add example for running Zun container * OpenDev Migration Patch * Replace openstack.org git:// URLs with https:// * Remove docs, deprecated hooks, tests * Update the bugs link to storyboard * Use octavia resources for autoscaling example * Fix the incorrect cirros default password Changes in openstack-horizon-plugin-designate-ui: - Update to version designate-dashboard-5.0.3.dev2: * Fix list zones updated at same time * OpenDev Migration Patch 5.0.2 Changes in openstack-horizon-plugin-neutron-lbaas-ui: - Add _1481_project_ng_loadbalancersv2_panel.pyc file to package (SOC-10883) The .pyc file needs to be removed when the package is uninstalled, otherwise the panel will remain enabled in the dashboard and cause errors. Changes in openstack-ironic: - Update to version ironic-9.1.8.dev8: * Place upper bound on python-dracclient version Changes in openstack-ironic: - Update to version ironic-9.1.8.dev8: * Place upper bound on python-dracclient version Changes in openstack-keystone: - Update to version keystone-12.0.4.dev5: * Import LDAP job into project Changes in openstack-keystone: - Update to version keystone-12.0.4.dev5: * Import LDAP job into project Changes in openstack-monasca-agent: - Added dependency: * fdupes * pwdutils and shadow-utils for useradd/groupadd - added 0001-add-X.509-certificate-check-plugin.patch Changes in openstack-neutron: - Update to version neutron-11.0.9.dev60: * Set DB retry for quota\_enforcement pecan\_wsgi hook - Update to version neutron-11.0.9.dev58: * don't clear skb mark when ovs is hw-offload enabled - Update to version neutron-11.0.9.dev57: * doc: add known limitation about attaching SR-IOV ports - Update to version neutron-11.0.9.dev56: * raise priority of dead vlan drop - Update to version neutron-11.0.9.dev54: * [Unit tests] Skip TestWSGIServer with IPv6 if no IPv6 enabled - Update to version neutron-11.0.9.dev52: * Initialize phys bridges before setup\_rpc Changes in openstack-neutron: - Update neutron-ha-tool to latest version: * Add DHCP agent evacuation (SOC-11046) - Update to version neutron-11.0.9.dev60: * Set DB retry for quota\_enforcement pecan\_wsgi hook - Update to version neutron-11.0.9.dev58: * don't clear skb mark when ovs is hw-offload enabled - neutron: Remove stop action from ovs-cleanup (bsc#1157482) backport of https://review.opendev.org/#/c/695867/ - Update to version neutron-11.0.9.dev57: * doc: add known limitation about attaching SR-IOV ports - Update to version neutron-11.0.9.dev56: * raise priority of dead vlan drop - Update to version neutron-11.0.9.dev54: * [Unit tests] Skip TestWSGIServer with IPv6 if no IPv6 enabled - Update to version neutron-11.0.9.dev52: * Initialize phys bridges before setup\_rpc Changes in openstack-neutron-gbp: - Update to version group-based-policy-7.3.1.dev72: * Refactor static path code - Update to version group-based-policy-7.3.1.dev71: * Support named ip protocols for SecurityGroupRules - Update to version group-based-policy-7.3.1.dev70: * Allow both FIP and SNAT on a single port - Update to version group-based-policy-7.3.1.dev69: * Fix active-active AAP RPC query - Update to version group-based-policy-7.3.1.dev67: * [AIM] Add extra provided/consumed contracts to network extension - Update to version group-based-policy-7.3.1.dev66: * Active active AAP feature - Update to version group-based-policy-7.3.1.dev64: * Support cache option for legacy GBP driver - Update to version group-based-policy-7.3.1.dev63: * Fix host ID length in VM names table - Update to version group-based-policy-7.3.1.dev62: * Update\_proj\_descr in apic when project description is updated in os - Update to version group-based-policy-7.3.1.dev61: * Send port notifications when host\_route is getting updated * Provide a control knob to use the internal EP interface - Update to version group-based-policy-7.3.1.dev57: * Fix pep8 failures seen on submitted patches Changes in openstack-neutron-vsphere: - Update to version networking-vsphere-2.0.1.dev133: * Update to use Agent model from neutron.db.models * Fix neutron-dvs-agent startup errors * OpenDev Migration Patch - Remove 0001-fix-dvs-agent-config.patch as changes had been backported to stable/pike - See https://review.opendev.org/#/c/682482 Changes in openstack-nova: - Update to version nova-16.1.9.dev49: * Use stable constraint for Tempest pinned stable branches - Update to version nova-16.1.9.dev48: * Avoid redundant initialize\_connection on source post live migration * Error out interrupted builds * Skip checking of target\_dev for vhostuser * Functional reproduce for bug 1833581 * Prevent init\_host test to interfere with other tests * Add functional test for resize crash compute restart revert * Move restart\_compute\_service to a common place * lxc: make use of filter python3 compatible * cleanup evacuated instances not on hypervisor * Delete resource providers for all nodes when deleting compute service - Update to version nova-16.1.9.dev30: * Explicitly fail if trying to attach SR-IOV port * Stabilize unshelve notification sample tests - Update to version nova-16.1.9.dev26: * Fix listing deleted servers with a marker * Add functional regression test for bug 1849409 - Update to version nova-16.1.9.dev22: * Hook resource\_tracker to remove stale node information - Update to version nova-16.1.9.dev20: * Workaround missing RequestSpec.instance\_group.uuid * Add regression recreate test for bug 1830747 - Update to version nova-16.1.9.dev16: * Changing scheduler sync event from INFO to DEBUG - Update to version nova-16.1.9.dev14: * Only nil az during shelve offload * Delete instance\_id\_mappings record in instance\_destroy - Update to version nova-16.1.9.dev11: * Revert 'openstack server create' to 'nova boot' in nova docs * doc: fix and clarify --block-device usage in user docs - Update to version nova-16.1.9.dev8: * Functional reproduce for bug 1852207 Changes in openstack-nova: - Update to version nova-16.1.9.dev49: * Use stable constraint for Tempest pinned stable branches - Update to version nova-16.1.9.dev48: * Avoid redundant initialize\_connection on source post live migration * Error out interrupted builds * Skip checking of target\_dev for vhostuser * Functional reproduce for bug 1833581 * Prevent init\_host test to interfere with other tests * Add functional test for resize crash compute restart revert * Move restart\_compute\_service to a common place * lxc: make use of filter python3 compatible * cleanup evacuated instances not on hypervisor * Delete resource providers for all nodes when deleting compute service - Update to version nova-16.1.9.dev30: * Explicitly fail if trying to attach SR-IOV port * Stabilize unshelve notification sample tests - Update to version nova-16.1.9.dev26: * Fix listing deleted servers with a marker * Add functional regression test for bug 1849409 - Update to version nova-16.1.9.dev22: * Hook resource\_tracker to remove stale node information - Update to version nova-16.1.9.dev20: * Workaround missing RequestSpec.instance\_group.uuid * Add regression recreate test for bug 1830747 - Update to version nova-16.1.9.dev16: * Changing scheduler sync event from INFO to DEBUG - Update to version nova-16.1.9.dev14: * Only nil az during shelve offload * Delete instance\_id\_mappings record in instance\_destroy - Update to version nova-16.1.9.dev11: * Revert 'openstack server create' to 'nova boot' in nova docs * doc: fix and clarify --block-device usage in user docs - Update to version nova-16.1.9.dev8: * Functional reproduce for bug 1852207 Changes in openstack-octavia: - Update to version octavia-1.0.6.dev3: * Fix urgent amphora two-way auth security bug Changes in openstack-octavia-amphora-image: - Update image to 0.1.2 to include udated keepalived 2.0.19 - Update image to 0.1.1 to include latest changes - Add keepalived service Changes in openstack-resource-agents: - Update to version 1.0+git.1569436425.8b9c49f: * Add a configurable delay to Nova Evacuate calls * OpenDev Migration Patch * NovaEvacuate: fix a syntax error * NovaEvacuate: Support the new split-out IHA fence agents with backwards compatibility * NovaEvacuate: Correctly handle stopped hypervisors * neutron-ha-tool: do not replicate dhcp * NovaCompute: Support parsing host option from /etc/nova/nova.conf.d * NovaCompute: Use variable to avoid calling crudini a second time * NovaEvacuate: Allow debug logging to be turned on easily Changes in openstack-sahara: - Update to version sahara-7.0.5.dev4: * Run sahara-scenario using Python 3 * Enforce python 2 for documentation build * Fix requirements(bandit) * OpenDev Migration Patch 7.0.4 Changes in openstack-sahara: - Update to version sahara-7.0.5.dev4: * Run sahara-scenario using Python 3 * Enforce python 2 for documentation build * Fix requirements (bandit) * OpenDev Migration Patch 7.0.4 Changes in openstack-trove: - Update to version trove-8.0.2.dev2: * Add local bindep.txt * OpenDev Migration Patch 8.0.1 Changes in openstack-trove: - Update to version trove-8.0.2.dev2: * Add local bindep.txt * OpenDev Migration Patch 8.0.1 Changes in python-cinderlm: - Update to version 0.0.2+git.1571845893.27f0b7b: * SCRD-4764 remove V2.0 auth end points (SOC-9753) Changes in python-congressclient: - update to version 1.8.1 - Update .gitreview for stable/pike - Update UPPER_CONSTRAINTS_FILE for stable/pike - import zuul job settings from project-config - Updated from global requirements Changes in python-designateclient: - update to version 2.7.1 - Update .gitreview for stable/pike - Updated from global requirements - import zuul job settings from project-config - Update UPPER_CONSTRAINTS_FILE for stable/pike - server-get/update show wrong values about 'id' and 'update_at' Changes in python-ironic-lib: - update to version 2.10.2 - Replace openstack.org git:// URLs with https:// - Make search for config drive partition case insensitive - Revert 'Use dd conv=sparse when writing images to nodes' - Check GPT table with sgdisk insread of partprobe - Avoid tox_install.sh for constraints support - Fix GPT bug with whole disk images - import zuul job settings from project-config Changes in python-networking-cisco: - Update to version networking-cisco-6.1.1.dev65: * Nexus: Add CA Bundle path to https doc * Improve Nexus Ironic related doc and logs * Upgrade release notes to include Tripleo/puppet * Fix socket not closed errors in unit test logs * Add release note about adding support for Rocky OpenStack * Update publish-openstack-python-branch-tarball job * Remove MultiConfigParser from SAF application * More fixes for networking\_cisco rocky support * Remove MultiConfigParser from the device manger config loader * Ensure CFG agent is started after neutron config is written * Removed older version of python added 3.5 * Begin process of supporting neutron Rocky * Typo in tar command in doc install guide * Add cisco providernet extension to Nexus doc * Add missing policy to fix stable/queens unit tests * Pin stestr version (1.1.0) for Mitaka * Fix places in ucsm network driver using .ucsm instead of .ucsms * Fix doc build under python3 * Fix mitaka bug with NeutronWorker missing parameter * Eliminate 30 sec delay for Nexus replay thread * Fix foreign key constraint violation while creating primary key with subnet\_id * Put upper constraint on ncclient version to prevent breakages * Improvements to the networking-cisco zuul jobs * Remove deprecated host/interface map config * Include device manager configuration file when starting config agent * Fix pep8 and other tox environments locally * Add rocky to CI * Add bandit to tox and resolve Nexus SA errors * Deprecate old ML2 Nexus/UCSM documentation file * Secure Nexus https certificates by default - Add tempest_plugin subpackage Changes in python-osc-lib: - update to version 1.7.1 - import zuul job settings from project-config - Update UPPER_CONSTRAINTS_FILE for stable/pike - Updated from global requirements - Update .gitreview for stable/pike - Avoid tox_install.sh for constraints support Changes iython-oslo.context: - update to version 2.17.2 - Fix sphinx-docs job for stable branch - import zuul job settings from project-config Changes in python-oslo.rootwrap: - update to version 5.9.3 - Avoid tox_install.sh for constraints support - Follow the new PTI for document build - import zuul job settings from project-config Changes in python-oslo.serialization: - update to version 2.20.3 - import zuul job settings from project-config - Fix sphinx-docs job for stable branch Changes in python-oslo.service: - update to version 1.25.2 - import zuul job settings from project-config - Fix sphinx-docs job for stable branch Changes in python-stevedore: - update to version 1.25.2 - move doc requirements to doc/requirements.txt - Use stable branch for upper-constraints - remove duplicate sphinx dependency - Avoid tox_install.sh for constraints support - import zuul job settings from project-config Changes in python-taskflow: - update to version 2.14.2 - don't let tox_install.sh error if there is nothing to do - import zuul job settings from project-config - Updated from global requirements - Use doc/requirements.txt Changes in rubygem-crowbar-client: - Update to 3.9.1 - Fix repocheck table output (SOC-10718) - Enable restricted commands for Cloud8 (bsc#1117080, CVE-2018-17954) Changes in rubygem-puma: - Add CVE-2019-16770.patch (bsc#1158675, SOC-10999, CVE-2019-16770) This patch fixes a DoS vulnerability a malicious client could use to block a large amount of threads. Changes in venv-openstack-swift: - Fix lower version numver after inheriting the version from main component (SCRD-8523) - Revert: 'Inherit version number of venv from main component (SCRD-8523)' as zypper reports the new version number as older than what is released - Inherit version number of venv from main component (SCRD-8523)

Affected Systems

• suse•ardana-cinder&distro=HPE Helion OpenStack 8

  < 8.0+git.1579279939.ee7da88-3.39.3

• suse•ardana-cinder&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1579279939.ee7da88-3.39.3

• suse•ardana-cobbler&distro=HPE Helion OpenStack 8

  < 8.0+git.1575037115.0326803-3.41.3

• suse•ardana-cobbler&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1575037115.0326803-3.41.3

• suse•ardana-designate&distro=HPE Helion OpenStack 8

  < 8.0+git.1573597788.15b7984-3.17.3

• suse•ardana-designate&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1573597788.15b7984-3.17.3

• suse•ardana-extensions-example&distro=HPE Helion OpenStack 8

  < 8.0+git.1534266307.db1ec28-3.3.3

• suse•ardana-extensions-example&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1534266307.db1ec28-3.3.3

• suse•ardana-extensions-nsx&distro=HPE Helion OpenStack 8

  < 8.0+git.1567529036.a41a037-3.6.4

• suse•ardana-extensions-nsx&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1567529036.a41a037-3.6.4

• suse•ardana-glance&distro=HPE Helion OpenStack 8

  < 8.0+git.1571846045.ab9e3ea-3.20.3

• suse•ardana-glance&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1571846045.ab9e3ea-3.20.3

• suse•ardana-heat&distro=HPE Helion OpenStack 8

  < 8.0+git.1571777596.14dce6a-3.15.3

• suse•ardana-heat&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1571777596.14dce6a-3.15.3

• suse•ardana-input-model&distro=HPE Helion OpenStack 8

  < 8.0+git.1582147997.b9ed134-3.36.3

• suse•ardana-input-model&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1582147997.b9ed134-3.36.3

• suse•ardana-ironic&distro=HPE Helion OpenStack 8

  < 8.0+git.1571845225.006843d-3.9.3

• suse•ardana-ironic&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1571845225.006843d-3.9.3

• suse•ardana-keystone&distro=HPE Helion OpenStack 8

  < 8.0+git.1573147067.09e3ea0-3.27.3

• suse•ardana-keystone&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1573147067.09e3ea0-3.27.3

• suse•ardana-logging&distro=HPE Helion OpenStack 8

  < 8.0+git.1572452293.e65d714-3.21.3

• suse•ardana-logging&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1572452293.e65d714-3.21.3

• suse•ardana-monasca-transform&distro=HPE Helion OpenStack 8

  < 8.0+git.1571845965.97714fb-3.12.3

• suse•ardana-monasca-transform&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1571845965.97714fb-3.12.3

• suse•ardana-monasca&distro=HPE Helion OpenStack 8

  < 8.0+git.1572527728.9b34bdf-3.21.3

• suse•ardana-monasca&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1572527728.9b34bdf-3.21.3

• suse•ardana-mq&distro=HPE Helion OpenStack 8

  < 8.0+git.1581024906.fbf0be3-3.16.3

• suse•ardana-mq&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1581024906.fbf0be3-3.16.3

• suse•ardana-neutron&distro=HPE Helion OpenStack 8

  < 8.0+git.1573050365.ff6fa06-3.36.3

• suse•ardana-neutron&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1573050365.ff6fa06-3.36.3

• suse•ardana-nova&distro=HPE Helion OpenStack 8

  < 8.0+git.1571846125.584d988-3.38.3

• suse•ardana-nova&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1571846125.584d988-3.38.3

• suse•ardana-octavia&distro=HPE Helion OpenStack 8

  < 8.0+git.1575642049.1f321d0-3.23.3

• suse•ardana-octavia&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1575642049.1f321d0-3.23.3

• suse•ardana-osconfig&distro=HPE Helion OpenStack 8

  < 8.0+git.1581015942.2d21e63-3.42.3

• suse•ardana-osconfig&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1581015942.2d21e63-3.42.3

• suse•ardana-tempest&distro=HPE Helion OpenStack 8

  < 8.0+git.1579261264.7dd213a-3.30.3

• suse•ardana-tempest&distro=SUSE OpenStack Cloud 8

  < 8.0+git.1579261264.7dd213a-3.30.3

• suse•crowbar-core&distro=SUSE OpenStack Cloud Crowbar 8

  < 5.0+git.1582968668.1a55c77c5-3.35.4

• suse•crowbar-ha&distro=SUSE OpenStack Cloud Crowbar 8

  < 5.0+git.1574286229.e0364c3-3.29.3

• suse•crowbar-openstack&distro=SUSE OpenStack Cloud Crowbar 8

  < 5.0+git.1582911795.5081ef1da-4.34.3

• suse•crowbar-ui&distro=SUSE OpenStack Cloud Crowbar 8

  < 1.2.0+git.1575896697.a01a3a08-3.15.3

• suse•keepalived&distro=HPE Helion OpenStack 8

  < 2.0.19-3.6.3

• suse•keepalived&distro=SUSE OpenStack Cloud 8

  < 2.0.19-3.6.3

• suse•keepalived&distro=SUSE OpenStack Cloud Crowbar 8

  < 2.0.19-3.6.3

• suse•mariadb&distro=HPE Helion OpenStack 8

  < 10.2.31-4.17.3

• suse•mariadb&distro=SUSE OpenStack Cloud 8

  < 10.2.31-4.17.3

• suse•mariadb&distro=SUSE OpenStack Cloud Crowbar 8

  < 10.2.31-4.17.3

• suse•openstack-cinder-doc&distro=HPE Helion OpenStack 8

  < 11.2.3~dev23-3.24.3

• suse•openstack-cinder-doc&distro=SUSE OpenStack Cloud 8

  < 11.2.3~dev23-3.24.3

Showing first 50 affected entries in server-rendered view.

References (39)

• https://www.suse.com/support/update/announcement/2020/suse-su-20200640-1/
• https://bugzilla.suse.com/1077717
• https://bugzilla.suse.com/1117080
• https://bugzilla.suse.com/1117840
• https://bugzilla.suse.com/1123191
• https://bugzilla.suse.com/1148158
• https://bugzilla.suse.com/1152007
• https://bugzilla.suse.com/1154235
• https://bugzilla.suse.com/1155089
• https://bugzilla.suse.com/1155942
• https://bugzilla.suse.com/1156305
• https://bugzilla.suse.com/1156669
• https://bugzilla.suse.com/1156914
• https://bugzilla.suse.com/1157028
• https://bugzilla.suse.com/1157206
• https://bugzilla.suse.com/1157482
• https://bugzilla.suse.com/1158675
• https://bugzilla.suse.com/1160048
• https://bugzilla.suse.com/1160878
• https://bugzilla.suse.com/1160883
• https://bugzilla.suse.com/1160895
• https://bugzilla.suse.com/1160912
• https://bugzilla.suse.com/1161351
• https://bugzilla.suse.com/1161517
• https://bugzilla.suse.com/1162388
• https://www.suse.com/security/cve/CVE-2017-1002201
• https://www.suse.com/security/cve/CVE-2018-17954
• https://www.suse.com/security/cve/CVE-2019-13117
• https://www.suse.com/security/cve/CVE-2019-16770
• https://www.suse.com/security/cve/CVE-2019-18901
• https://www.suse.com/security/cve/CVE-2019-2737
• https://www.suse.com/security/cve/CVE-2019-2739
• https://www.suse.com/security/cve/CVE-2019-2740
• https://www.suse.com/security/cve/CVE-2019-2758
• https://www.suse.com/security/cve/CVE-2019-2805
• https://www.suse.com/security/cve/CVE-2019-2938
• https://www.suse.com/security/cve/CVE-2019-2974
• https://www.suse.com/security/cve/CVE-2020-2574
• https://www.suse.com/security/cve/CVE-2020-7595