Oval Definition:oval:org.opensuse.security:def:84643
Revision Date:2021-07-28Version:1
Title:Security update for ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema (Moderate)
Description:

This update for ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema fixes the following issues:

Security fixes included on this update:

cassandra-kit: - CVE-2020-17516: Internode encryption enforcement vulnerability

cassandra: - CVE-2020-17516: Internode encryption enforcement vulnerability - CVE-2017-5929 logback: Fixed a serialization vulnerability in SocketServer and ServerSocketReceiver

crowbar-core: CVE-2020-26247: Potentially XXE or SSRF attacks by parsed Nokogiri::XML::Schema

grafana: - CVE-2021-27358: Unauthenticated remote attackers to trigger a Denial of Service via a remote API call

kibana: - CVE-2017-11481: Fixed an XSS via URL fields - CVE-2017-11499: Fixed a constant hashtable seeds vulnerability

python-Django: - CVE-2021-28658: Potential directory-traversal via uploaded files - CVE-2021-31542: Potential directory-traversal via uploaded files - CVE-2021-33203: Potential directory traversal via admindocs - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses - CVE-2021-23336: Fixed web cache poisoning via django.utils.http.limited_parse_qsl

python-eventlet: - CVE-2021-21419: Improper handling of highly compressed data and memory allocation with excessive size value

python-pysaml2: - CVE-2021-21238: Fixed an improper verification of cryptographic signatures for signed SAML documents - CVE-2021-21239: Fixed an improper verification of cryptographic signatures when using CryptoBackendXmlSec1()_

python-py: - CVE-2020-29651: Regular expression denial of service in svnwc.py

rubygem-activerecord-session_store: - CVE-2019-25025: Fixed a hijack sessions by using timing attacks targeting the session id CVE-2019-16782

Non-security fixes included on this update:

Changes in ardana-cobbler: - Update to version 8.0+git.1614096566.e8c2b27: * Change install_recommended to true (bsc#1181828)

Changes in cassandra: - update to 3.11.10 (bsc#1181689, CVE-2020-17516) * Fix digest computation for queries with fetched but non queried columns (CASSANDRA-15962) * Reduce amount of allocations during batch statement execution (CASSANDRA-16201) * Update jflex-1.6.0.jar to match upstream (CASSANDRA-16393) * Fix DecimalDeserializer#toString OOM (CASSANDRA-14925) * Rate limit validation compactions using compaction_throughput_mb_per_sec (CASSANDRA-16161) * SASI's `max_compaction_flush_memory_in_mb` settings over 100GB revert to default of 1GB (CASSANDRA-16071) * Prevent unbounded number of pending flushing tasks (CASSANDRA-16261) * Improve empty hint file handling during startup (CASSANDRA-16162) * Allow empty string in collections with COPY FROM in cqlsh (CASSANDRA-16372) * Fix skipping on pre-3.0 created compact storage sstables due to missing primary key liveness (CASSANDRA-16226) * Extend the exclusion of replica filtering protection to other indices instead of just SASI (CASSANDRA-16311) * Synchronize transaction logs for JBOD (CASSANDRA-16225) * Fix the counting of cells per partition (CASSANDRA-16259) * Fix serial read/non-applying CAS linearizability (CASSANDRA-12126) * Avoid potential NPE in JVMStabilityInspector (CASSANDRA-16294) * Improved check of num_tokens against the length of initial_token (CASSANDRA-14477) * Fix a race condition on ColumnFamilyStore and TableMetrics (CASSANDRA-16228) * Remove the SEPExecutor blocking behavior (CASSANDRA-16186) * Fix invalid cell value skipping when reading from disk (CASSANDRA-16223) * Prevent invoking enable/disable gossip when not in NORMAL (CASSANDRA-16146) * Wait for schema agreement when bootstrapping (CASSANDRA-15158) * Fix the histogram merge of the table metrics (CASSANDRA-16259) * Synchronize Keyspace instance store/clear (CASSANDRA-16210) * Fix ColumnFilter to avoid querying cells of unselected complex columns (CASSANDRA-15977) * Fix memory leak in CompressedChunkReader (CASSANDRA-15880) * Don't attempt value skipping with mixed version cluster (CASSANDRA-15833) * Avoid failing compactions with very large partitions (CASSANDRA-15164) * Make sure LCS handles duplicate sstable added/removed notifications correctly (CASSANDRA-14103) * Fix OOM when terminating repair session (CASSANDRA-15902) * Avoid marking shutting down nodes as up after receiving gossip shutdown message (CASSANDRA-16094) * Check SSTables for latest version before dropping compact storage (CASSANDRA-16063) * Handle unexpected columns due to schema races (CASSANDRA-15899) * Add flag to ignore unreplicated keyspaces during repair (CASSANDRA-15160) * Package tools/bin scripts as executable (CASSANDRA-16151) * Fixed a NullPointerException when calling nodetool enablethrift (CASSANDRA-16127) * Correctly interpret SASI's `max_compaction_flush_memory_in_mb` setting in megabytes not bytes (CASSANDRA-16071) * Fix short read protection for GROUP BY queries (CASSANDRA-15459) * Frozen RawTuple is not annotated with frozen in the toString method (CASSANDRA-15857) Merged from 3.0: * Use IF NOT EXISTS for index and UDT create statements in snapshot schema files (CASSANDRA-13935) * Fix gossip shutdown order (CASSANDRA-15816) * Remove broken 'defrag-on-read' optimization (CASSANDRA-15432) * Check for endpoint collision with hibernating nodes (CASSANDRA-14599) * Operational improvements and hardening for replica filtering protection (CASSANDRA-15907) * stop_paranoid disk failure policy is ignored on CorruptSSTableException after node is up (CASSANDRA-15191) * Forbid altering UDTs used in partition keys (CASSANDRA-15933) * Fix empty/null json string representation (CASSANDRA-15896) * 3.x fails to start if commit log has range tombstones from a column which is also deleted (CASSANDRA-15970) * Handle difference in timestamp precision between java8 and java11 in LogFIle.java (CASSANDRA-16050) Merged from 2.2: * Fix CQL parsing of collections when the column type is reversed (CASSANDRA-15814) * Only allow strings to be passed to JMX authentication (CASSANDRA-16077) * Fix cqlsh output when fetching all rows in batch mode (CASSANDRA-15905) * Upgrade Jackson to 2.9.10 (CASSANDRA-15867) * Fix CQL formatting of read command restrictions for slow query log (CASSANDRA-15503) * Allow sstableloader to use SSL on the native port (CASSANDRA-14904) * Backport CASSANDRA-12189: escape string literals (CASSANDRA-15948) * Avoid hinted handoff per-host throttle being arounded to 0 in large cluster (CASSANDRA-15859) * Avoid emitting empty range tombstones from RangeTombstoneList (CASSANDRA-15924) * Avoid thread starvation, and improve compare-and-swap performance, in the slab allocators (CASSANDRA-15922) * Add token to tombstone warning and error messages (CASSANDRA-15890) * Fixed range read concurrency factor computation and capped as 10 times tpc cores (CASSANDRA-15752) * Catch exception on bootstrap resume and init native transport (CASSANDRA-15863) * Fix replica-side filtering returning stale data with CL > ONE (CASSANDRA-8272, CASSANDRA-8273) * Fix duplicated row on 2.x upgrades when multi-rows range tombstones interact with collection ones (CASSANDRA-15805) * Rely on snapshotted session infos on StreamResultFuture.maybeComplete to avoid race conditions (CASSANDRA-15667) * EmptyType doesn't override writeValue so could attempt to write bytes when expected not to (CASSANDRA-15790) * Fix index queries on partition key columns when some partitions contains only static data (CASSANDRA-13666) * Avoid creating duplicate rows during major upgrades (CASSANDRA-15789) * liveDiskSpaceUsed and totalDiskSpaceUsed get corrupted if IndexSummaryRedistribution gets interrupted (CASSANDRA-15674) * Fix Debian init start/stop (CASSANDRA-15770) * Fix infinite loop on index query paging in tables with clustering (CASSANDRA-14242) * Fix chunk index overflow due to large sstable with small chunk length (CASSANDRA-15595) * Allow selecting static column only when querying static index (CASSANDRA-14242) * cqlsh return non-zero status when STDIN CQL fails (CASSANDRA-15623) * Don't skip sstables in slice queries based only on local min/max/deletion timestamp (CASSANDRA-15690) * Memtable memory allocations may deadlock (CASSANDRA-15367) * Run evictFromMembership in GossipStage (CASSANDRA-15592) * Fix nomenclature of allow and deny lists (CASSANDRA-15862) * Remove generated files from source artifact (CASSANDRA-15849) * Remove duplicated tools binaries from tarballs (CASSANDRA-15768) * Duplicate results with DISTINCT queries in mixed mode (CASSANDRA-15501) * Disable JMX rebinding (CASSANDRA-15653) * Fix writing of snapshot manifest when the table has table-backed secondary indexes (CASSANDRA-10968) * Fix parse error in cqlsh COPY FROM and formatting for map of blobs (CASSANDRA-15679) * Fix Commit log replays when static column clustering keys are collections (CASSANDRA-14365) * Fix Red Hat init script on newer systemd versions (CASSANDRA-15273) * Allow EXTRA_CLASSPATH to work on tar/source installations (CASSANDRA-15567) * Fix bad UDT sstable metadata serialization headers written by C* 3.0 on upgrade and in sstablescrub (CASSANDRA-15035) * Fix nodetool compactionstats showing extra pending task for TWCS - patch implemented (CASSANDRA-15409) * Fix SELECT JSON formatting for the 'duration' type (CASSANDRA-15075) * Fix LegacyLayout to have same behavior as 2.x when handling unknown column names (CASSANDRA-15081) * Update nodetool help stop output (CASSANDRA-15401) * Run in-jvm upgrade dtests in circleci (CASSANDRA-15506) * Include updates to static column in mutation size calculations (CASSANDRA-15293) * Fix point-in-time recoevery ignoring timestamp of updates to static columns (CASSANDRA-15292) * GC logs are also put under $CASSANDRA_LOG_DIR (CASSANDRA-14306) * Fix sstabledump's position key value when partitions have multiple rows (CASSANDRA-14721) * Avoid over-scanning data directories in LogFile.verify() (CASSANDRA-15364) * Bump generations and document changes to system_distributed and system_traces in 3.0, 3.11 (CASSANDRA-15441) * Fix system_traces creation timestamp; optimise system keyspace upgrades (CASSANDRA-15398) * Fix various data directory prefix matching issues (CASSANDRA-13974) * Minimize clustering values in metadata collector (CASSANDRA-15400) * Avoid over-trimming of results in mixed mode clusters (CASSANDRA-15405) * validate value sizes in LegacyLayout (CASSANDRA-15373) * Ensure that tracing doesn't break connections in 3.x/4.0 mixed mode by default (CASSANDRA-15385) * Make sure index summary redistribution does not start when compactions are paused (CASSANDRA-15265) * Ensure legacy rows have primary key livenessinfo when they contain illegal cells (CASSANDRA-15365) * Fix race condition when setting bootstrap flags (CASSANDRA-14878) * Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426) * Fix SELECT JSON output for empty blobs (CASSANDRA-15435) * In-JVM DTest: Set correct internode message version for upgrade test (CASSANDRA-15371) * In-JVM DTest: Support NodeTool in dtest (CASSANDRA-15429) * Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426) * Fix SASI non-literal string comparisons (range operators) (CASSANDRA-15169) * Make sure user defined compaction transactions are always closed (CASSANDRA-15123) * Fix cassandra-env.sh to use $CASSANDRA_CONF to find cassandra-jaas.config (CASSANDRA-14305) * Fixed nodetool cfstats printing index name twice (CASSANDRA-14903) * Add flag to disable SASI indexes, and warnings on creation (CASSANDRA-14866) * Add ability to cap max negotiable protocol version (CASSANDRA-15193) * Gossip tokens on startup if available (CASSANDRA-15335) * Fix resource leak in CompressedSequentialWriter (CASSANDRA-15340) * Fix bad merge that reverted CASSANDRA-14993 (CASSANDRA-15289) * Fix LegacyLayout RangeTombstoneList IndexOutOfBoundsException when upgrading and RangeTombstone bounds are asymmetric (CASSANDRA-15172) * Fix NPE when using allocate_tokens_for_keyspace on new DC/rack (CASSANDRA-14952) * Filter sstables earlier when running cleanup (CASSANDRA-15100) * Use mean row count instead of mean column count for index selectivity calculation (CASSANDRA-15259) * Avoid updating unchanged gossip states (CASSANDRA-15097) * Prevent recreation of previously dropped columns with a different kind (CASSANDRA-14948) * Prevent client requests from blocking on executor task queue (CASSANDRA-15013) * Toughen up column drop/recreate type validations (CASSANDRA-15204) * LegacyLayout should handle paging states that cross a collection column (CASSANDRA-15201) * Prevent RuntimeException when username or password is empty/null (CASSANDRA-15198) * Multiget thrift query returns null records after digest mismatch (CASSANDRA-14812) * Skipping illegal legacy cells can break reverse iteration of indexed partitions (CASSANDRA-15178) * Handle paging states serialized with a different version than the session's (CASSANDRA-15176) * Throw IOE instead of asserting on unsupporter peer versions (CASSANDRA-15066) * Update token metadata when handling MOVING/REMOVING_TOKEN events (CASSANDRA-15120) * Add ability to customize cassandra log directory using $CASSANDRA_LOG_DIR (CASSANDRA-15090) * Skip cells with illegal column names when reading legacy sstables (CASSANDRA-15086) * Fix assorted gossip races and add related runtime checks (CASSANDRA-15059) * Fix mixed mode partition range scans with limit (CASSANDRA-15072) * cassandra-stress works with frozen collections: list and set (CASSANDRA-14907) * Fix handling FS errors on writing and reading flat files - LogTransaction and hints (CASSANDRA-15053) * Avoid double closing the iterator to avoid overcounting the number of requests (CASSANDRA-15058) * Improve `nodetool status -r` speed (CASSANDRA-14847) * Improve merkle tree size and time on heap (CASSANDRA-14096) * Add missing commands to nodetool_completion (CASSANDRA-14916) * Anti-compaction temporarily corrupts sstable state for readers (CASSANDRA-15004) * Catch non-IOException in FileUtils.close to make sure that all resources are closed (CASSANDRA-15225) * Handle exceptions during authentication/authorization (CASSANDRA-15041) * Support cross version messaging in in-jvm upgrade dtests (CASSANDRA-15078) * Fix index summary redistribution cancellation (CASSANDRA-15045) * Fixing invalid CQL in security documentation (CASSANDRA-15020) * Allow instance class loaders to be garbage collected for inJVM dtest (CASSANDRA-15170) * Add support for network topology and query tracing for inJVM dtest (CASSANDRA-15319) * Correct sstable sorting for garbagecollect and levelled compaction (CASSANDRA-14870) * Severe concurrency issues in STCS,DTCS,TWCS,TMD.Topology,TypeParser * Add a script to make running the cqlsh tests in cassandra repo easier (CASSANDRA-14951) * If SizeEstimatesRecorder misses a 'onDropTable' notification, the size_estimates table will never be cleared for that table. (CASSANDRA-14905) * Counters fail to increment in 2.1/2.2 to 3.X mixed version clusters (CASSANDRA-14958) * Streaming needs to synchronise access to LifecycleTransaction (CASSANDRA-14554) * Fix cassandra-stress write hang with default options (CASSANDRA-14616) * Differentiate between slices and RTs when decoding legacy bounds (CASSANDRA-14919) * Netty epoll IOExceptions caused by unclean client disconnects being logged at INFO (CASSANDRA-14909) * Unfiltered.isEmpty conflicts with Row extends AbstractCollection.isEmpty (CASSANDRA-14588) * RangeTombstoneList doesn't properly clean up mergeable or superseded rts in some cases (CASSANDRA-14894) * Fix handling of collection tombstones for dropped columns from legacy sstables (CASSANDRA-14912) * Throw exception if Columns serialized subset encode more columns than possible (CASSANDRA-14591) * Drop/add column name with different Kind can result in corruption (CASSANDRA-14843) * Fix missing rows when reading 2.1 SSTables with static columns in 3.0 (CASSANDRA-14873) * Move TWCS message 'No compaction necessary for bucket size' to Trace level (CASSANDRA-14884) * Sstable min/max metadata can cause data loss (CASSANDRA-14861) * Dropped columns can cause reverse sstable iteration to return prematurely (CASSANDRA-14838) * Legacy sstables with multi block range tombstones create invalid bound sequences (CASSANDRA-14823) * Expand range tombstone validation checks to multiple interim request stages (CASSANDRA-14824) * Reverse order reads can return incomplete results (CASSANDRA-14803) * Avoid calling iter.next() in a loop when notifying indexers about range tombstones (CASSANDRA-14794) * Fix purging semi-expired RT boundaries in reversed iterators (CASSANDRA-14672) * DESC order reads can fail to return the last Unfiltered in the partition (CASSANDRA-14766) * Fix corrupted collection deletions for dropped columns in 3.0 2.{1,2} messages (CASSANDRA-14568) * Fix corrupted static collection deletions in 3.0 2.{1,2} messages (CASSANDRA-14568) * Handle failures in parallelAllSSTableOperation (cleanup/upgradesstables/etc) (CASSANDRA-14657) * Improve TokenMetaData cache populating performance avoid long locking (CASSANDRA-14660) * Backport: Flush netty client messages immediately (not by default) (CASSANDRA-13651) * Fix static column order for SELECT * wildcard queries (CASSANDRA-14638) * sstableloader should use discovered broadcast address to connect intra-cluster (CASSANDRA-14522) * Fix reading columns with non-UTF names from schema (CASSANDRA-14468) * Don't enable client transports when bootstrap is pending (CASSANDRA-14525) * MigrationManager attempts to pull schema from different major version nodes (CASSANDRA-14928) * Fix incorrect cqlsh results when selecting same columns multiple times (CASSANDRA-13262) * Returns null instead of NaN or Infinity in JSON strings (CASSANDRA-14377) * Paged Range Slice queries with DISTINCT can drop rows from results (CASSANDRA-14956) * Validate supported column type with SASI analyzer (CASSANDRA-13669) * Remove BTree.Builder Recycler to reduce memory usage (CASSANDRA-13929) * Reduce nodetool GC thread count (CASSANDRA-14475) * Fix New SASI view creation during Index Redistribution (CASSANDRA-14055) * Remove string formatting lines from BufferPool hot path (CASSANDRA-14416) * Update metrics to 3.1.5 (CASSANDRA-12924) * Detect OpenJDK jvm type and architecture (CASSANDRA-12793) * Don't use guava collections in the non-system keyspace jmx attributes (CASSANDRA-12271) * Allow existing nodes to use all peers in shadow round (CASSANDRA-13851) * Fix cqlsh to read connection.ssl cqlshrc option again (CASSANDRA-14299) * Downgrade log level to trace for CommitLogSegmentManager (CASSANDRA-14370) * CQL fromJson(null) throws NullPointerException (CASSANDRA-13891) * Serialize empty buffer as empty string for json output format (CASSANDRA-14245) * Allow logging implementation to be interchanged for embedded testing (CASSANDRA-13396) * SASI tokenizer for simple delimiter based entries (CASSANDRA-14247) * Fix Loss of digits when doing CAST from varint/bigint to decimal (CASSANDRA-14170) * RateBasedBackPressure unnecessarily invokes a lock on the Guava RateLimiter (CASSANDRA-14163) * Fix wildcard GROUP BY queries (CASSANDRA-14209) * Fix corrupted static collection deletions in 3.0 -> 2.{1,2} messages (CASSANDRA-14568) * Fix potential IndexOutOfBoundsException with counters (CASSANDRA-14167) * Always close RT markers returned by ReadCommand#executeLocally() (CASSANDRA-14515) * Reverse order queries with range tombstones can cause data loss (CASSANDRA-14513) * Fix regression of lagging commitlog flush log message (CASSANDRA-14451) * Add Missing dependencies in pom-all (CASSANDRA-14422) * Cleanup StartupClusterConnectivityChecker and PING Verb (CASSANDRA-14447) * Fix deprecated repair error notifications from 3.x clusters to legacy JMX clients (CASSANDRA-13121) * Cassandra not starting when using enhanced startup scripts in windows (CASSANDRA-14418) * Fix progress stats and units in compactionstats (CASSANDRA-12244) * Better handle missing partition columns in system_schema.columns (CASSANDRA-14379) * Delay hints store excise by write timeout to avoid race with decommission (CASSANDRA-13740) * Deprecate background repair and probablistic read_repair_chance table options (CASSANDRA-13910) * Add missed CQL keywords to documentation (CASSANDRA-14359) * Fix unbounded validation compactions on repair / revert CASSANDRA-13797 (CASSANDRA-14332) * Avoid deadlock when running nodetool refresh before node is fully up (CASSANDRA-14310) * Handle all exceptions when opening sstables (CASSANDRA-14202) * Handle incompletely written hint descriptors during startup (CASSANDRA-14080) * Handle repeat open bound from SRP in read repair (CASSANDRA-14330) * Respect max hint window when hinting for LWT (CASSANDRA-14215) * Adding missing WriteType enum values to v3, v4, and v5 spec (CASSANDRA-13697) * Don't regenerate bloomfilter and summaries on startup (CASSANDRA-11163) * Fix NPE when performing comparison against a null frozen in LWT (CASSANDRA-14087) * Log when SSTables are deleted (CASSANDRA-14302) * Fix batch commitlog sync regression (CASSANDRA-14292) * Write to pending endpoint when view replica is also base replica (CASSANDRA-14251) * Chain commit log marker potential performance regression in batch commit mode (CASSANDRA-14194) * Fully utilise specified compaction threads (CASSANDRA-14210) * Pre-create deletion log records to finish compactions quicker (CASSANDRA-12763) * Fix bug that prevented compaction of SSTables after full repairs (CASSANDRA-14423) * Incorrect counting of pending messages in OutboundTcpConnection (CASSANDRA-11551) * Fix compaction failure caused by reading un-flushed data (CASSANDRA-12743) * Use Bounds instead of Range for sstables in anticompaction (CASSANDRA-14411) * Fix JSON queries with IN restrictions and ORDER BY clause (CASSANDRA-14286) * Backport circleci yaml (CASSANDRA-14240) * Check checksum before decompressing data (CASSANDRA-14284) * CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt (CASSANDRA-14183) - Use %license macro

Changes in cassandra-kit: - Update to Cassandra 3.11.10 (bsc#1181689, CVE-2020-17516)

Changes in crowbar-core: - Update to version 5.0+git.1622489449.a8e60e238: * avoid v4.1.5 of delayed_job_active_record (noref) * add CVE-2020-26247 to travis ignore list (bsc#1180507)

Changes in crowbar-openstack: - Update to version 5.0+git.1616001417.67fd9c2a1: * monasca: restart Kibana on update (bsc#1044849)

- Update to version 5.0+git.1615542070.7841c34b7: * monasca: fix monasca-server reinstall state check (SOC-11471)

Changes in documentation-suse-openstack-cloud: - Update to version 8.20210512: * Moved Monasca deployment to immediately after keystone (SOC-11525) (#1312)

- Update to version 8.20210511: * Update the correct SLES version to suse-12.3 (SOC-11521) (#1321) * Renamed the repo name from SLE12-SP3-HA to SLE-HA12-SP3 (SOC-11523) (#1320)

- Update to version 8.20210511: * Add bm-power-status playbook to add sles compute section (#1317)

- Update to version 8.20210507: * Add instructions for checking MySQL cert expiry (SOC-11422) (#1311)

- Update to version 8.20210304: * Add nova and heat db purge cron jobs to maintenance section (SOC-9876) (#1307)

Changes in grafana: - Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358) * Prevent unauthenticated remote attackers from causing a DoS through the snapshots API.

Changes in kibana: - Ensure /etc/sysconfig/kibana is present

- Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14, ESA-2017-16) * [4.6] ignore forked code for babel transpile build phase (#13483) * Allow more than match queries in custom filters (#8614) (#10857) * [state] don't make extra $location.replace() calls (#9954) * [optimizer] move to querystring-browser package for up-to-date api * [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls * server: refactor log_interceptor to be more DRY (#9617) * server: downgrade ECANCELED logs to debug (#9616) * server: do not treat logged warnings as errors (#8746) (#9610) * [server/logger] downgrade EPIPE errors to debug level (#9023) * Add basepath when redirecting from a trailling slash (#9035) * [es/kibanaIndex] use unmapped_type rather than ignore_unmapped (#8968) * [server/shortUrl] validate urls before shortening them - Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481) * This fixes an XSS vulnerability in URL fields - Remove %dir declaration from /opt/kibana/optimize to ensure no files owned by root end up in there - Exclude /opt/kibana/optimize from %fdupes - Restart service on upgrade - Do not copy LICENSE.txt and README.txt to /opt/kibana - Fix rpmlint warnings/errors - Switch to explicit patch application - Fix source URL - Fix logic for systemd/systemv detection

Changes in openstack-heat-templates: - Update to version 0.0.0+git.1623056900.7917e18: * Fix zuul config for heat-templates-check

- Update to version 0.0.0+git.1621405516.71a0f7a: * Remove testr

Changes in openstack-monasca-installer: - Add 0001-fix-influxdb-stop-task.patch (SOC-11470) - Add 0001-fix-cassandra-deployment.patch (SOC-11470)

Changes in openstack-nova: - Update to version nova-16.1.9.dev92: * Lowercase ironic driver hash ring and ignore case in cache * Include only required fields in ironic node cache * Add resource\_class to fields in ironic node cache

- Update to version nova-16.1.9.dev86: * [stable-only] Move grenade jobs to experimental * Update resources once in update\_available\_resource * rt: Make resource tracker always invoking get\_inventory()

- Update to version nova-16.1.9.dev81: * [stable-only] gate: Pin CEPH\_RELEASE to nautilus in LM hook

- Update to version nova-16.1.9.dev80: * [placement] Add status and links fields to version document at /

Changes in openstack-nova: - Update to version nova-16.1.9.dev92: * Lowercase ironic driver hash ring and ignore case in cache * Include only required fields in ironic node cache * Add resource\_class to fields in ironic node cache

- Update to version nova-16.1.9.dev86: * [stable-only] Move grenade jobs to experimental * Update resources once in update\_available\_resource * rt: Make resource tracker always invoking get\_inventory()

- Update to version nova-16.1.9.dev81: * [stable-only] gate: Pin CEPH\_RELEASE to nautilus in LM hook

- Update to version nova-16.1.9.dev80: * [placement] Add status and links fields to version document at /

Changes in python-Django: - Add CVE-2021-33203.patch (bsc#1186608, CVE-2021-33203) * Fixed potential path-traversal via admindocs' TemplateDetailView. - Add CVE-2021-33571.patch (bsc#1186611, CVE-2021-33571) * Prevented leading zeros in IPv4 addresses.

- Add CVE-2021-31542.patch (bsc#1185623, CVE-2021-31542) * Fixed CVE-2021-31542 -- Tightened path and file name sanitation in file uploads.

- Add CVE-2021-28658.patch (bsc#1184148, CVE-2021-28658) * Fixed potential directory-traversal via uploaded files

- Add CVE-2021-23336.patch (bsc#1182433, CVE-2021-23336) * Fixed web cache poisoning via django.utils.http.limited_parse_qsl()

Changes in python-eventlet: - Add 0001-websocket-fd-leak-when-client-did-not-close-connecti.patch - Add 0002-websocket-Limit-maximum-uncompressed-frame-length-to.patch (bsc#1185836 CVE-2021-21419) * websocket: Limit maximum uncompressed frame length to 8MiB

Changes in python-py: - Add CVE-2020-29651.patch ((bsc#1179805, CVE-2020-29651) * svnwc: fix regular expression vulnerable to DoS in blame functionality

Changes in python-pysaml2: - Add %dir declaration for %{_licensedir}

- Fix CVE-2021-21238, bsc#1181277 with 0004-Strengthen-XSW-tests.patch , 0005-Fix-the-parser-to-not-break-on-ePTID-AttributeValues.patch , 0006-Add-xsd-schemas.patch , 0007-Fix-CVE-2021-21238-SAML-XML-Signature-wrapping.patch . This adds a dependency on python-xmlschema, which depends on python-elementpath and build depends python-pathlib2, which depends on python-scandir, thus all these need to be added for this to work. The used python-xmlschema needs to support the sandbox argument which was added in 1.2.0 and refined in 1.2.1, but that version doesn't support python2, so a patched version that does both is needed. 0009-Make-previous-commits-python2-compatible.patch to not add a dependency on reportlib_resources and make other changes python2 compatible. - Fix CVE-2021-21239, bsc#1181278 with 0008-Fix-CVE-2021-21239-Restrict-the-key-data-that-xmlsec.patch

Changes in venv-openstack-keystone: - Add python-xmlschema and python-elementpath for new python-pysaml2 version.

Changes in python-xmlschema:

- Add missed BuildRequires on pathlib2

- Add 3 patches to backport sandbox argument, which is needed by a security fix in python-pysaml2 and one patch to make backport python2 compatible. - Upstream url changed - Add rpmlintrc to make it work on Leap 42.3 - Update to 1.0.18: * Fix for *ModelVisitor.iter_unordered_content()* * Fixed default converter, AbderaConverter and JsonMLConverter for xs:anyType decode * Fixed validation tests with all converters * Added UnorderedConverter to validation tests - Update to 1.0.17: * Enhancement of validation-only speed (~15%) * Added *is_valid()* and *iter_errors()* to module API - Update to 1.0.16: * Improved XMLResource class for working with compressed files * Fix for validation with XSD wildcards and 'lax' process content * Fix ambiguous items validation for xs:choice and xs:sequence models

- Handle UnicodeDecodeErrors during build process

- Update to 1.0.15: * Improved XPath 2.0 bindings * Added logging for schema initialization and building (handled with argument loglevel) * Update encoding of collapsed contents with a new model based reordering method * Removed XLink namespace from meta-schema (loaded from a fallback location like XHTML) * Fixed half of failed W3C instance tests (remain 255 over 15344 tests)

- Initial commit, needed by pytest 5.1.2

Changes in python-elementpath:

- Update to 1.3.1: * Improved schema proxy * Improved XSD type matching using paths * Cached parent path for XPathContext (only Python 3) * Improve typed selection with TypedAttribute and TypedElement named-tuples * Add iter_results to XPathContext * Remove XMLSchemaProxy from package * Fix descendant shortcut operator '//' * Fix text() function * Fix typed select of '(name)' token * Fix 24-hour time for DateTime

- Skip test_hashing to fix 32bit builds

- Initial commit needed by python-xmlschema

Changes in python-six: - Update in SLE-12 (bsc#1176784, jsc#ECO-3105, jsc#PM-2352)

- Fix testsuite on SLE-12 + Add python to BuildRequires for suse_version less 1500

- Fix dbm deps as the MU for provides: python-dbm was not released on sle12 yet - Add requirement on pytest > 4.0 to see the pytest module works with this MU

- Do not cause buildcycle with previous change but rather install the egg-info prepared metadata from the tarball

- use setuptools for building to support pip 10.x (bsc#1166139)

- update to 1.14.0 * Add `six.assertNotRegex` * `six.moves._dummy_thread` now points to the `_thread` module on Python 3.9+. Python 3.7 and later requires threading and deprecated the `_dummy_thread` module * Remove support for Python 2.6 and Python 3.2 * `six.wraps` now ignores missing attributes

- Pull in dbm/gdbm module from python for testing

- update to 0.13.0: - Issue #298, pull request #299: Add `six.moves.dbm_ndbm`. - Issue #155: Add `six.moves.collections_abc`, which aliases the `collections` module on Python 2-3.2 and the `collections.abc` on Python 3.3 and greater. - Pull request #304: Re-add distutils fallback in `setup.py`. - Pull request #305: On Python 3.7, `with_metaclass` supports classes using PEP

- Simplify the pytest call

- Fix pytest call - Fixdocumentation package generating

- Change %pretrans back to %pre to fix bootstrap issue boo#1123064 bsc#1143893

- Require just base python module, even full python is too much and it is not required here

- Update to 0.12.0: * `six.add_metaclass` now preserves `__qualname__` from the original class. * Add `six.ensure_binary`, `six.ensure_text`, and `six.ensure_str`. - Because of cyclical dependencies between six and Sphinx, we need to to do multibuild.

- Include in SLE-12 (FATE#326838, bsc#1113302)

- remove egg-info directory in %pretrans - fix egg-info directory pattern - match any version of egg-info for a certain python version

- Break the cycilical dependency on python-setuptools.

- Remove argparse dependency

- build python3 subpackage (FATE#324435, bsc#1073879)

- remove egg-info directory before installation if it exists, because setuptools produce directory and six switched to distutils that produce a file (and because rpm can't handle that by itself) fixes bsc#1057496

- Fix Source url

- README->README.rst, add CHANGES - update to version 1.11.0: * Pull request #178: `with_metaclass` now properly proxies `__prepare__` to the underlying metaclass. * Pull request #191: Allow `with_metaclass` to work with metaclasses implemented in C. * Pull request #203: Add parse_http_list and parse_keqv_list to moved urllib.request. * Pull request #172 and issue #171: Add unquote_to_bytes to moved urllib.parse. * Pull request #167: Add `six.moves.getoutput`. * Pull request #80: Add `six.moves.urllib_parse.splitvalue`. * Pull request #75: Add `six.moves.email_mime_image`. * Pull request #72: Avoid creating reference cycles through tracebacks in `reraise`.

- Submit 1.9.0 to SLE-12 (fate#319030, fate#318838, bsc#940812)

- sanitize release line in specfile

Changes in rubygem-activerecord-session_store.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - added CVE-2019-25025.patch (CVE-2019-25025, bsc#1183174) * This requires CVE-2019-16782.patch to be included in rubygem-actionpack-4_2 to work correctly.

Changes in venv-openstack-keystone: - Add python-xmlschema and python-elementpath for new python-pysaml2 version.

- Add python-defusedxml (bsc#1019074)

- Inherit version number of venv from main component (SCRD-8523)


Family:unixClass:patch
Status:Reference(s):1019074
1044849
1057496
1073879
1113302
1123064
1143893
1166139
1176784
1179805
1180507
1181277
1181278
1181689
1181828
1182433
1183174
1183803
1184148
1185623
1185836
1186608
1186611
940812
CVE-2017-11481
CVE-2017-11499
CVE-2017-5929
CVE-2019-25025
CVE-2020-17516
CVE-2020-26247
CVE-2020-29651
CVE-2021-21238
CVE-2021-21239
CVE-2021-21419
CVE-2021-23336
CVE-2021-27358
CVE-2021-28658
CVE-2021-31542
CVE-2021-33203
CVE-2021-33571
SUSE-SU-2021:2554-1
Platform(s):SUSE OpenStack Cloud Crowbar 8
Product(s):
Definition Synopsis
  • SUSE OpenStack Cloud Crowbar 8 is installed
  • AND Package Information
  • cassandra-3.11.10-5.3.5 is installed
  • OR cassandra-tools-3.11.10-5.3.5 is installed
  • OR crowbar-core-5.0+git.1622489449.a8e60e238-3.50.4 is installed
  • OR crowbar-core-branding-upstream-5.0+git.1622489449.a8e60e238-3.50.4 is installed
  • OR crowbar-openstack-5.0+git.1616001417.67fd9c2a1-4.52.5 is installed
  • OR documentation-suse-openstack-cloud-deployment-8.20210512-1.32.5 is installed
  • OR documentation-suse-openstack-cloud-supplement-8.20210512-1.32.5 is installed
  • OR documentation-suse-openstack-cloud-upstream-admin-8.20210512-1.32.5 is installed
  • OR documentation-suse-openstack-cloud-upstream-user-8.20210512-1.32.5 is installed
  • OR grafana-6.7.4-4.18.2 is installed
  • OR kibana-4.6.6-3.9.2 is installed
  • OR openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3 is installed
  • OR openstack-monasca-installer-20190923_16.32-3.18.2 is installed
  • OR openstack-nova-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-api-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-cells-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-compute-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-conductor-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-console-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-consoleauth-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-doc-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-novncproxy-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-placement-api-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-scheduler-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-serialproxy-16.1.9~dev92-3.48.5 is installed
  • OR openstack-nova-vncproxy-16.1.9~dev92-3.48.5 is installed
  • OR python-Django-1.11.29-3.25.3 is installed
  • OR python-elementpath-1.3.1-1.3.2 is installed
  • OR python-eventlet-0.20.0-6.3.3 is installed
  • OR python-nova-16.1.9~dev92-3.48.5 is installed
  • OR python-py-1.4.34-3.3.3 is installed
  • OR python-pysaml2-4.0.2-5.9.2 is installed
  • OR python-xmlschema-1.0.18-1.3.3 is installed
  • OR ruby2.1-rubygem-activerecord-session_store-0.1.2-3.3.2 is installed
  • BACK