Oval Definition:oval:org.opensuse.security:def:88141
Revision Date:2021-06-11Version:1
Title:Security update for ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone (Moderate)
Description:

This update for ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone contains the following fixes:

Security fixes included in this update:

cassandra: - CVE-2020-17516: Fixed an issue where encryption between nodes was not enforced correctly for certain internode_encryption settings (bsc#1181689)

grafana: - CVE-2018-18623, CVE-2018-18624, CVE-2018-18625: Fixed multiple cross site scripting vulnerabilities in the dashboard. (bsc#1172450) - CVE-2021-27358: Fixed a denial of service via remote API call. (bsc#1183803) - CVE-2019-15043: Fixed a denial of service by an unauthenticated user in the snapshot HTTP API (bsc#1148383) - CVE-2020-13379: Fixed an information leak to unauthenticated users. (bsc#1172409) - CVE-2020-12052: Fixed a cross site scripting vulnerability with the annotation popup (bsc#1170657) - CVE-2018-19039: Fixed an issue where a privileged user could exfiltrate files (bsc#1115960) - CVE-2020-11110: Fixed a stored cross site scripting vulnerability. (bsc#1174583) - CVE-2020-24303: Fixed a cross site scripting vulnerability in a query alias for ElasticSearch datasources (bsc#1178243)

kibana: - CVE-2017-11499: Fixed a vulnerability in nodejs, related to the HashTable implementation, which could cause a denial of service. (bsc#1044849) - CVE-2017-11481: Fixed a cross site scripting vulnerability via via URL fields. (bsc#1044849) - CVE-2020-10743: Fixed a clickjacking issue because X-Frame-Option was not used by default. (bsc#1171909)

python-Django: - CVE-2021-23336: Fixed a web cache poisoning via django.utils.http.limited_parse_qsl(). (bsc#1182433) - CVE-2021-28658: Fixed a directory traversal via uploaded files. (bsc#1184148) - CVE-2021-31542: Fixed a directory traversal via uploaded files with suitably crafted file names. (bsc#1185623) - CVE-2021-33203: Fixed potential path-traversal via admindocs' TemplateDetailView. (bsc#1186608) - CVE-2021-33571: Tighten validator checks to not allow leading zeros in IPv4 addresses, which potentially leads to further attacks. (bsc#1186611)

python-py: - CVE-2020-29651: Fixed a denial of service via regular expressions. (bsc#1179805)

python-pysaml2: - CVE-2021-21238: Fixed improper verification of cryptographic signatures for signed SAML documents. (bsc#1181277) - CVE-2021-21239: Fixed improper verification of cryptographic signatures when using CryptoBackendXmlSec1(). (bsc#1181278)

rubygem-activerecord-session_store: - CVE-2019-25025: Fixed a timing attacks targeting the session id which could allow an attack to hijack sessions. (bsc#1183174)



Non-security changes included in this update:

Changes in ardana-neutron: - Update to version 9.0+git.1615223676.777f0b3: * Allow users to stop monitoring rootwrap daemon (bsc#1182317)

Changes in ardana-swift: - Update to version 9.0+git.1618235096.90974ed: * Run swiftlm-scan in the UTC timezone (bsc#1181690)

Changes in cassandra: - update to 3.11.10 (bsc#1181689, CVE-2020-17516) * Fix digest computation for queries with fetched but non queried columns (CASSANDRA-15962) * Reduce amount of allocations during batch statement execution (CASSANDRA-16201) * Update jflex-1.6.0.jar to match upstream (CASSANDRA-16393) * Fix DecimalDeserializer#toString OOM (CASSANDRA-14925) * Rate limit validation compactions using compaction_throughput_mb_per_sec (CASSANDRA-16161) * SASI's `max_compaction_flush_memory_in_mb` settings over 100GB revert to default of 1GB (CASSANDRA-16071) * Prevent unbounded number of pending flushing tasks (CASSANDRA-16261) * Improve empty hint file handling during startup (CASSANDRA-16162) * Allow empty string in collections with COPY FROM in cqlsh (CASSANDRA-16372) * Fix skipping on pre-3.0 created compact storage sstables due to missing primary key liveness (CASSANDRA-16226) * Extend the exclusion of replica filtering protection to other indices instead of just SASI (CASSANDRA-16311) * Synchronize transaction logs for JBOD (CASSANDRA-16225) * Fix the counting of cells per partition (CASSANDRA-16259) * Fix serial read/non-applying CAS linearizability (CASSANDRA-12126) * Avoid potential NPE in JVMStabilityInspector (CASSANDRA-16294) * Improved check of num_tokens against the length of initial_token (CASSANDRA-14477) * Fix a race condition on ColumnFamilyStore and TableMetrics (CASSANDRA-16228) * Remove the SEPExecutor blocking behavior (CASSANDRA-16186) * Fix invalid cell value skipping when reading from disk (CASSANDRA-16223) * Prevent invoking enable/disable gossip when not in NORMAL (CASSANDRA-16146) * Wait for schema agreement when bootstrapping (CASSANDRA-15158) * Fix the histogram merge of the table metrics (CASSANDRA-16259) * Synchronize Keyspace instance store/clear (CASSANDRA-16210) * Fix ColumnFilter to avoid querying cells of unselected complex columns (CASSANDRA-15977) * Fix memory leak in CompressedChunkReader (CASSANDRA-15880) * Don't attempt value skipping with mixed version cluster (CASSANDRA-15833) * Avoid failing compactions with very large partitions (CASSANDRA-15164) * Make sure LCS handles duplicate sstable added/removed notifications correctly (CASSANDRA-14103) * Fix OOM when terminating repair session (CASSANDRA-15902) * Avoid marking shutting down nodes as up after receiving gossip shutdown message (CASSANDRA-16094) * Check SSTables for latest version before dropping compact storage (CASSANDRA-16063) * Handle unexpected columns due to schema races (CASSANDRA-15899) * Add flag to ignore unreplicated keyspaces during repair (CASSANDRA-15160) * Package tools/bin scripts as executable (CASSANDRA-16151) * Fixed a NullPointerException when calling nodetool enablethrift (CASSANDRA-16127) * Correctly interpret SASI's `max_compaction_flush_memory_in_mb` setting in megabytes not bytes (CASSANDRA-16071) * Fix short read protection for GROUP BY queries (CASSANDRA-15459) * Frozen RawTuple is not annotated with frozen in the toString method (CASSANDRA-15857) Merged from 3.0: * Use IF NOT EXISTS for index and UDT create statements in snapshot schema files (CASSANDRA-13935) * Fix gossip shutdown order (CASSANDRA-15816) * Remove broken 'defrag-on-read' optimization (CASSANDRA-15432) * Check for endpoint collision with hibernating nodes (CASSANDRA-14599) * Operational improvements and hardening for replica filtering protection (CASSANDRA-15907) * stop_paranoid disk failure policy is ignored on CorruptSSTableException after node is up (CASSANDRA-15191) * Forbid altering UDTs used in partition keys (CASSANDRA-15933) * Fix empty/null json string representation (CASSANDRA-15896) * 3.x fails to start if commit log has range tombstones from a column which is also deleted (CASSANDRA-15970) * Handle difference in timestamp precision between java8 and java11 in LogFIle.java (CASSANDRA-16050) Merged from 2.2: * Fix CQL parsing of collections when the column type is reversed (CASSANDRA-15814) * Only allow strings to be passed to JMX authentication (CASSANDRA-16077) * Fix cqlsh output when fetching all rows in batch mode (CASSANDRA-15905) * Upgrade Jackson to 2.9.10 (CASSANDRA-15867) * Fix CQL formatting of read command restrictions for slow query log (CASSANDRA-15503) * Allow sstableloader to use SSL on the native port (CASSANDRA-14904) * Backport CASSANDRA-12189: escape string literals (CASSANDRA-15948) * Avoid hinted handoff per-host throttle being arounded to 0 in large cluster (CASSANDRA-15859) * Avoid emitting empty range tombstones from RangeTombstoneList (CASSANDRA-15924) * Avoid thread starvation, and improve compare-and-swap performance, in the slab allocators (CASSANDRA-15922) * Add token to tombstone warning and error messages (CASSANDRA-15890) * Fixed range read concurrency factor computation and capped as 10 times tpc cores (CASSANDRA-15752) * Catch exception on bootstrap resume and init native transport (CASSANDRA-15863) * Fix replica-side filtering returning stale data with CL > ONE (CASSANDRA-8272, CASSANDRA-8273) * Fix duplicated row on 2.x upgrades when multi-rows range tombstones interact with collection ones (CASSANDRA-15805) * Rely on snapshotted session infos on StreamResultFuture.maybeComplete to avoid race conditions (CASSANDRA-15667) * EmptyType doesn't override writeValue so could attempt to write bytes when expected not to (CASSANDRA-15790) * Fix index queries on partition key columns when some partitions contains only static data (CASSANDRA-13666) * Avoid creating duplicate rows during major upgrades (CASSANDRA-15789) * liveDiskSpaceUsed and totalDiskSpaceUsed get corrupted if IndexSummaryRedistribution gets interrupted (CASSANDRA-15674) * Fix Debian init start/stop (CASSANDRA-15770) * Fix infinite loop on index query paging in tables with clustering (CASSANDRA-14242) * Fix chunk index overflow due to large sstable with small chunk length (CASSANDRA-15595) * Allow selecting static column only when querying static index (CASSANDRA-14242) * cqlsh return non-zero status when STDIN CQL fails (CASSANDRA-15623) * Don't skip sstables in slice queries based only on local min/max/deletion timestamp (CASSANDRA-15690) * Memtable memory allocations may deadlock (CASSANDRA-15367) * Run evictFromMembership in GossipStage (CASSANDRA-15592) * Fix nomenclature of allow and deny lists (CASSANDRA-15862) * Remove generated files from source artifact (CASSANDRA-15849) * Remove duplicated tools binaries from tarballs (CASSANDRA-15768) * Duplicate results with DISTINCT queries in mixed mode (CASSANDRA-15501) * Disable JMX rebinding (CASSANDRA-15653) * Fix writing of snapshot manifest when the table has table-backed secondary indexes (CASSANDRA-10968) * Fix parse error in cqlsh COPY FROM and formatting for map of blobs (CASSANDRA-15679) * Fix Commit log replays when static column clustering keys are collections (CASSANDRA-14365) * Fix Red Hat init script on newer systemd versions (CASSANDRA-15273) * Allow EXTRA_CLASSPATH to work on tar/source installations (CASSANDRA-15567) * Fix bad UDT sstable metadata serialization headers written by C* 3.0 on upgrade and in sstablescrub (CASSANDRA-15035) * Fix nodetool compactionstats showing extra pending task for TWCS - patch implemented (CASSANDRA-15409) * Fix SELECT JSON formatting for the 'duration' type (CASSANDRA-15075) * Fix LegacyLayout to have same behavior as 2.x when handling unknown column names (CASSANDRA-15081) * Update nodetool help stop output (CASSANDRA-15401) * Run in-jvm upgrade dtests in circleci (CASSANDRA-15506) * Include updates to static column in mutation size calculations (CASSANDRA-15293) * Fix point-in-time recoevery ignoring timestamp of updates to static columns (CASSANDRA-15292) * GC logs are also put under $CASSANDRA_LOG_DIR (CASSANDRA-14306) * Fix sstabledump's position key value when partitions have multiple rows (CASSANDRA-14721) * Avoid over-scanning data directories in LogFile.verify() (CASSANDRA-15364) * Bump generations and document changes to system_distributed and system_traces in 3.0, 3.11 (CASSANDRA-15441) * Fix system_traces creation timestamp; optimise system keyspace upgrades (CASSANDRA-15398) * Fix various data directory prefix matching issues (CASSANDRA-13974) * Minimize clustering values in metadata collector (CASSANDRA-15400) * Avoid over-trimming of results in mixed mode clusters (CASSANDRA-15405) * validate value sizes in LegacyLayout (CASSANDRA-15373) * Ensure that tracing doesn't break connections in 3.x/4.0 mixed mode by default (CASSANDRA-15385) * Make sure index summary redistribution does not start when compactions are paused (CASSANDRA-15265) * Ensure legacy rows have primary key livenessinfo when they contain illegal cells (CASSANDRA-15365) * Fix race condition when setting bootstrap flags (CASSANDRA-14878) * Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426) * Fix SELECT JSON output for empty blobs (CASSANDRA-15435) * In-JVM DTest: Set correct internode message version for upgrade test (CASSANDRA-15371) * In-JVM DTest: Support NodeTool in dtest (CASSANDRA-15429) * Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426) * Fix SASI non-literal string comparisons (range operators) (CASSANDRA-15169) * Make sure user defined compaction transactions are always closed (CASSANDRA-15123) * Fix cassandra-env.sh to use $CASSANDRA_CONF to find cassandra-jaas.config (CASSANDRA-14305) * Fixed nodetool cfstats printing index name twice (CASSANDRA-14903) * Add flag to disable SASI indexes, and warnings on creation (CASSANDRA-14866) * Add ability to cap max negotiable protocol version (CASSANDRA-15193) * Gossip tokens on startup if available (CASSANDRA-15335) * Fix resource leak in CompressedSequentialWriter (CASSANDRA-15340) * Fix bad merge that reverted CASSANDRA-14993 (CASSANDRA-15289) * Fix LegacyLayout RangeTombstoneList IndexOutOfBoundsException when upgrading and RangeTombstone bounds are asymmetric (CASSANDRA-15172) * Fix NPE when using allocate_tokens_for_keyspace on new DC/rack (CASSANDRA-14952) * Filter sstables earlier when running cleanup (CASSANDRA-15100) * Use mean row count instead of mean column count for index selectivity calculation (CASSANDRA-15259) * Avoid updating unchanged gossip states (CASSANDRA-15097) * Prevent recreation of previously dropped columns with a different kind (CASSANDRA-14948) * Prevent client requests from blocking on executor task queue (CASSANDRA-15013) * Toughen up column drop/recreate type validations (CASSANDRA-15204) * LegacyLayout should handle paging states that cross a collection column (CASSANDRA-15201) * Prevent RuntimeException when username or password is empty/null (CASSANDRA-15198) * Multiget thrift query returns null records after digest mismatch (CASSANDRA-14812) * Skipping illegal legacy cells can break reverse iteration of indexed partitions (CASSANDRA-15178) * Handle paging states serialized with a different version than the session's (CASSANDRA-15176) * Throw IOE instead of asserting on unsupporter peer versions (CASSANDRA-15066) * Update token metadata when handling MOVING/REMOVING_TOKEN events (CASSANDRA-15120) * Add ability to customize cassandra log directory using $CASSANDRA_LOG_DIR (CASSANDRA-15090) * Skip cells with illegal column names when reading legacy sstables (CASSANDRA-15086) * Fix assorted gossip races and add related runtime checks (CASSANDRA-15059) * Fix mixed mode partition range scans with limit (CASSANDRA-15072) * cassandra-stress works with frozen collections: list and set (CASSANDRA-14907) * Fix handling FS errors on writing and reading flat files - LogTransaction and hints (CASSANDRA-15053) * Avoid double closing the iterator to avoid overcounting the number of requests (CASSANDRA-15058) * Improve `nodetool status -r` speed (CASSANDRA-14847) * Improve merkle tree size and time on heap (CASSANDRA-14096) * Add missing commands to nodetool_completion (CASSANDRA-14916) * Anti-compaction temporarily corrupts sstable state for readers (CASSANDRA-15004) * Catch non-IOException in FileUtils.close to make sure that all resources are closed (CASSANDRA-15225) * Handle exceptions during authentication/authorization (CASSANDRA-15041) * Support cross version messaging in in-jvm upgrade dtests (CASSANDRA-15078) * Fix index summary redistribution cancellation (CASSANDRA-15045) * Fixing invalid CQL in security documentation (CASSANDRA-15020) * Allow instance class loaders to be garbage collected for inJVM dtest (CASSANDRA-15170) * Add support for network topology and query tracing for inJVM dtest (CASSANDRA-15319) * Correct sstable sorting for garbagecollect and levelled compaction (CASSANDRA-14870) * Severe concurrency issues in STCS,DTCS,TWCS,TMD.Topology,TypeParser * Add a script to make running the cqlsh tests in cassandra repo easier (CASSANDRA-14951) * If SizeEstimatesRecorder misses a 'onDropTable' notification, the size_estimates table will never be cleared for that table. (CASSANDRA-14905) * Counters fail to increment in 2.1/2.2 to 3.X mixed version clusters (CASSANDRA-14958) * Streaming needs to synchronise access to LifecycleTransaction (CASSANDRA-14554) * Fix cassandra-stress write hang with default options (CASSANDRA-14616) * Differentiate between slices and RTs when decoding legacy bounds (CASSANDRA-14919) * Netty epoll IOExceptions caused by unclean client disconnects being logged at INFO (CASSANDRA-14909) * Unfiltered.isEmpty conflicts with Row extends AbstractCollection.isEmpty (CASSANDRA-14588) * RangeTombstoneList doesn't properly clean up mergeable or superseded rts in some cases (CASSANDRA-14894) * Fix handling of collection tombstones for dropped columns from legacy sstables (CASSANDRA-14912) * Throw exception if Columns serialized subset encode more columns than possible (CASSANDRA-14591) * Drop/add column name with different Kind can result in corruption (CASSANDRA-14843) * Fix missing rows when reading 2.1 SSTables with static columns in 3.0 (CASSANDRA-14873) * Move TWCS message 'No compaction necessary for bucket size' to Trace level (CASSANDRA-14884) * Sstable min/max metadata can cause data loss (CASSANDRA-14861) * Dropped columns can cause reverse sstable iteration to return prematurely (CASSANDRA-14838) * Legacy sstables with multi block range tombstones create invalid bound sequences (CASSANDRA-14823) * Expand range tombstone validation checks to multiple interim request stages (CASSANDRA-14824) * Reverse order reads can return incomplete results (CASSANDRA-14803) * Avoid calling iter.next() in a loop when notifying indexers about range tombstones (CASSANDRA-14794) * Fix purging semi-expired RT boundaries in reversed iterators (CASSANDRA-14672) * DESC order reads can fail to return the last Unfiltered in the partition (CASSANDRA-14766) * Fix corrupted collection deletions for dropped columns in 3.0 <-> 2.{1,2} messages (CASSANDRA-14568) * Fix corrupted static collection deletions in 3.0 <-> 2.{1,2} messages (CASSANDRA-14568) * Handle failures in parallelAllSSTableOperation (cleanup/upgradesstables/etc) (CASSANDRA-14657) * Improve TokenMetaData cache populating performance avoid long locking (CASSANDRA-14660) * Backport: Flush netty client messages immediately (not by default) (CASSANDRA-13651) * Fix static column order for SELECT * wildcard queries (CASSANDRA-14638) * sstableloader should use discovered broadcast address to connect intra-cluster (CASSANDRA-14522) * Fix reading columns with non-UTF names from schema (CASSANDRA-14468) * Don't enable client transports when bootstrap is pending (CASSANDRA-14525) * MigrationManager attempts to pull schema from different major version nodes (CASSANDRA-14928) * Fix incorrect cqlsh results when selecting same columns multiple times (CASSANDRA-13262) * Returns null instead of NaN or Infinity in JSON strings (CASSANDRA-14377) * Paged Range Slice queries with DISTINCT can drop rows from results (CASSANDRA-14956)

Changes in crowbar-openstack: - Update to version 6.0+git.1616146717.a89ae0f4e: * monasca: restart Kibana on update (bsc#1044849)

Changes in grafana - Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358) * Prevent unauthenticated remote attackers from causing a DoS through the snapshots API.

Changes in kibana: - Ensure /etc/sysconfig/kibana is present

- Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14, ESA-2017-16) * [4.6] ignore forked code for babel transpile build phase (#13483) * Allow more than match queries in custom filters (#8614) (#10857) * [state] don't make extra $location.replace() calls (#9954) * [optimizer] move to querystring-browser package for up-to-date api * [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls * server: refactor log_interceptor to be more DRY (#9617) * server: downgrade ECANCELED logs to debug (#9616) * server: do not treat logged warnings as errors (#8746) (#9610) * [server/logger] downgrade EPIPE errors to debug level (#9023) * Add basepath when redirecting from a trailling slash (#9035) * [es/kibanaIndex] use unmapped_type rather than ignore_unmapped (#8968) * [server/shortUrl] validate urls before shortening them - Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481) * This fixes an XSS vulnerability in URL fields - Remove %dir declaration from /opt/kibana/optimize to ensure no files owned by root end up in there - Exclude /opt/kibana/optimize from %fdupes - Restart service on upgrade - Do not copy LICENSE.txt and README.txt to /opt/kibana - Fix rpmlint warnings/errors - Switch to explicit patch application - Fix source URL - Fix logic for systemd/systemv detection

- Add 0001-Configurable-custom-response-headers-for-server.patch (bsc#1171909, CVE-2020-10743)

- Added kibana.yml symlink (bsc#1048688, FATE#323204) Changes in openstack-dashboard: - Update to version horizon-14.1.1.dev11: * Consume tempest-horizon from PyPI release

Changes in openstack-ironic: - Update to version ironic-11.1.5.dev17: * Remove lower-constraints job

Changes in openstack-ironic: - Update to version ironic-11.1.5.dev17: * Remove lower-constraints job

Changes in openstack-neutron: - Update to version neutron-13.0.8.dev164: * Schedule networks to new segments if needed

- Update to version neutron-13.0.8.dev162: * Fix invalid JSON generated by quota details

- Update to version neutron-13.0.8.dev160: * Fix deletion of rfp interfaces when router is re-enabled

- Update to version neutron-13.0.8.dev159: * [OVS FW] Allow egress ICMPv6 only for know addresses * [OVS FW] Clean conntrack entries with mark == CT\_MARK\_INVALID

- Update to version neutron-13.0.8.dev155: * Fix removal of dvr-src mac flows when non-gateway port on router is deleted

- Update to version neutron-13.0.8.dev153: * Add some wait time between stopping and starting again ovsdb monitor * Workaround for TCP checksum issue with ovs-dpdk and veth pair

- Update to version neutron-13.0.8.dev149: * Fix wrong packet\_type set for IPv6 GRE tunnels in OVS

- Update to version neutron-13.0.8.dev148: * Fix losses of ovs flows when ovs is restarted

Changes in openstack-neutron: - Update to version neutron-13.0.8.dev164: * Schedule networks to new segments if needed

- Update to version neutron-13.0.8.dev162: * Fix invalid JSON generated by quota details

- Update to version neutron-13.0.8.dev160: * Fix deletion of rfp interfaces when router is re-enabled

- Update to version neutron-13.0.8.dev159: * [OVS FW] Allow egress ICMPv6 only for know addresses * [OVS FW] Clean conntrack entries with mark == CT\_MARK\_INVALID

- Update to version neutron-13.0.8.dev155: * Fix removal of dvr-src mac flows when non-gateway port on router is deleted

- Update to version neutron-13.0.8.dev153: * Add some wait time between stopping and starting again ovsdb monitor * Workaround for TCP checksum issue with ovs-dpdk and veth pair

- Update to version neutron-13.0.8.dev149: * Fix wrong packet\_type set for IPv6 GRE tunnels in OVS

- Update to version neutron-13.0.8.dev148: * Fix losses of ovs flows when ovs is restarted

Changes in openstack-neutron-gbp: - Update to version group-based-policy-12.0.1.dev29: * gbp-validate: Tenant and resource level scoping 2014.2.0rc1

- Update to version group-based-policy-12.0.1.dev27: * Import data\_utils from the new location

- Update to version group-based-policy-12.0.1.dev26: * Add SNAT port's Mac Address to the host\_snat\_ips dictionary

- Update to version group-based-policy-12.0.1.dev25: * Add support for victoria 2014.2.rc1

- Update to version group-based-policy-12.0.1.dev24: * Fix deletion of SVI networks

- Update to version group-based-policy-12.0.1.dev23: * Allow per-port qos configuration on dhcp port 2014.2rc1

- Update to version group-based-policy-12.0.1.dev22: * Add connectivity parameter to driver * [AIM] Fix ERSPAN extension 2014.2.rc1

- Update to version group-based-policy-12.0.1.dev19: * Fix exception with cleanup 2014.2.0rc1

- Update to version group-based-policy-12.0.1.dev18: * Add workaround to get\_subnets

Changes in openstack-nova: - Update to version nova-18.3.1.dev82: * [stable-only] gate: Pin CEPH\_RELEASE to nautilus in LM hook * Change default num\_retries for glance to 3

Changes in openstack-nova: - Update to version nova-18.3.1.dev82: * [stable-only] gate: Pin CEPH\_RELEASE to nautilus in LM hook * Change default num\_retries for glance to 3

Changes in python-Django1: - Add CVE-2021-33203.patch (bsc#1186608, CVE-2021-33203) * Fixed potential path-traversal via admindocs' TemplateDetailView. - Add CVE-2021-33571.patch (bsc#1186611, CVE-2021-33571) * Prevented leading zeros in IPv4 addresses.

- Add CVE-2021-31542.patch (bsc#1185623, CVE-2021-31542) * Fixed CVE-2021-31542 -- Tightened path and file name sanitation in file uploads.

- Add CVE-2021-28658.patch (bsc#1184148, CVE-2021-28658) * Fixed potential directory-traversal via uploaded files

- Add CVE-2021-23336.patch (bsc#1182433, CVE-2021-23336) * Fixed web cache poisoning via django.utils.http.limited_parse_qsl()



Changes in python-py: - Add CVE-2020-29651.patch ((bsc#1179805, CVE-2020-29651) * svnwc: fix regular expression vulnerable to DoS in blame functionality

Changes in python-pysaml2: - Fix patches (SOC-11453) * 0005-Fix-CVE-2021-21238-SAML-XML-Signature-wrapping.patch - rename saml2.xml to saml2.samlxml to avoid overriding the xml module in the system module path - add missing __init__.py files - add missing saml2/data package to setup.py * 0007-Make-previous-commits-python2-compatible.patch so as not to - Adjust to saml2.xml to saml2.samlxml changes - Fix a few more syntax errors and Python2-isms.

- Fix CVE-2021-21238, bsc#1181277 with 0002-Strengthen-XSW-tests.patch , 0003-Fix-the-parser-to-not-break-on-ePTID-AttributeValues.patch , 0004-Add-xsd-schemas.patch , 0005-Fix-CVE-2021-21238-SAML-XML-Signature-wrapping.patch . This adds a dependency on python-xmlschema, which depends on python-elementpath, thus both need to be added for this to work. The used python-xmlschema needs to support the sandbox argument which was added in 1.2.0 and refined in 1.2.1, but that version doesn't support python2, so a patched version that does both is needed. Add 0007-Make-previous-commits-python2-compatible.patch to not add a dependency on reportlib_resources and make other changes python2 compatible. . Fix CVE-2021-21239, bsc#1181278 with 0006-Fix-CVE-2021-21239-Restrict-the-key-data-that-xmlsec.patch

Changes in python-xmlschema:

- Add 3 patches to backport sandbox argument, which is needed by a security fix in python-pysaml2 and one patch to make backport python2 compatible. - Upstream url changed - Add rpmlintrc to make it work on Leap 42.3 - Update to 1.0.18: * Fix for *ModelVisitor.iter_unordered_content()* * Fixed default converter, AbderaConverter and JsonMLConverter for xs:anyType decode * Fixed validation tests with all converters * Added UnorderedConverter to validation tests - Update to 1.0.17: * Enhancement of validation-only speed (~15%) * Added *is_valid()* and *iter_errors()* to module API - Update to 1.0.16: * Improved XMLResource class for working with compressed files * Fix for validation with XSD wildcards and 'lax' process content * Fix ambiguous items validation for xs:choice and xs:sequence models

- Handle UnicodeDecodeErrors during build process

- Update to 1.0.15: * Improved XPath 2.0 bindings * Added logging for schema initialization and building (handled with argument loglevel) * Update encoding of collapsed contents with a new model based reordering method * Removed XLink namespace from meta-schema (loaded from a fallback location like XHTML) * Fixed half of failed W3C instance tests (remain 255 over 15344 tests)

- Initial commit, needed by pytest 5.1.2 Changes in python-elementpath:

- Update to 1.3.1: * Improved schema proxy * Improved XSD type matching using paths * Cached parent path for XPathContext (only Python 3) * Improve typed selection with TypedAttribute and TypedElement named-tuples * Add iter_results to XPathContext * Remove XMLSchemaProxy from package * Fix descendant shortcut operator '//' * Fix text() function * Fix typed select of '(name)' token * Fix 24-hour time for DateTime

- Skip test_hashing to fix 32bit builds

- Initial commit needed by python-xmlschema Changes in rubygem-activerecord-session_store: - added CVE-2019-25025.patch (CVE-2019-25025, bsc#1183174) * This requires CVE-2019-16782.patch to be included in rubygem-actionpack-4_2 to work correctly.

Changes in venv-openstack-keystone - Add python-xmlschema and python-elementpath for new python-pysaml2 version.
Family:unixClass:patch
Status:Reference(s):1044849
1048688
1115960
1148383
1170657
1171909
1172409
1172450
1174583
1178243
1179805
1181277
1181278
1181689
1181690
1182317
1182433
1183174
1183803
1184148
1185623
1186608
1186611
CVE-2017-11481
CVE-2017-11499
CVE-2018-18623
CVE-2018-18624
CVE-2018-18625
CVE-2018-19039
CVE-2019-15043
CVE-2019-25025
CVE-2020-10743
CVE-2020-11110
CVE-2020-12052
CVE-2020-13379
CVE-2020-17516
CVE-2020-24303
CVE-2020-29651
CVE-2021-21238
CVE-2021-21239
CVE-2021-23336
CVE-2021-27358
CVE-2021-28658
CVE-2021-31542
CVE-2021-33203
CVE-2021-33571
SUSE-SU-2021:1962-1
Platform(s):SUSE OpenStack Cloud 9
Product(s):
Definition Synopsis
  • SUSE OpenStack Cloud 9 is installed
  • AND Package Information
  • ardana-neutron-9.0+git.1615223676.777f0b3-3.25.2 is installed
  • OR ardana-swift-9.0+git.1618235096.90974ed-3.10.2 is installed
  • OR cassandra-3.11.10-3.3.3 is installed
  • OR cassandra-tools-3.11.10-3.3.3 is installed
  • OR grafana-6.7.4-3.23.2 is installed
  • OR kibana-4.6.6-4.9.2 is installed
  • OR openstack-dashboard-14.1.1~dev11-3.24.6 is installed
  • OR openstack-ironic-11.1.5~dev17-3.25.5 is installed
  • OR openstack-ironic-api-11.1.5~dev17-3.25.5 is installed
  • OR openstack-ironic-conductor-11.1.5~dev17-3.25.5 is installed
  • OR openstack-neutron-13.0.8~dev164-3.37.4 is installed
  • OR openstack-neutron-dhcp-agent-13.0.8~dev164-3.37.4 is installed
  • OR openstack-neutron-gbp-12.0.1~dev29-3.25.3 is installed
  • OR openstack-neutron-ha-tool-13.0.8~dev164-3.37.4 is installed
  • OR openstack-neutron-l3-agent-13.0.8~dev164-3.37.4 is installed
  • OR openstack-neutron-linuxbridge-agent-13.0.8~dev164-3.37.4 is installed
  • OR openstack-neutron-macvtap-agent-13.0.8~dev164-3.37.4 is installed
  • OR openstack-neutron-metadata-agent-13.0.8~dev164-3.37.4 is installed
  • OR openstack-neutron-metering-agent-13.0.8~dev164-3.37.4 is installed
  • OR openstack-neutron-openvswitch-agent-13.0.8~dev164-3.37.4 is installed
  • OR openstack-neutron-server-13.0.8~dev164-3.37.4 is installed
  • OR openstack-nova-18.3.1~dev82-3.37.6 is installed
  • OR openstack-nova-api-18.3.1~dev82-3.37.6 is installed
  • OR openstack-nova-cells-18.3.1~dev82-3.37.6 is installed
  • OR openstack-nova-compute-18.3.1~dev82-3.37.6 is installed
  • OR openstack-nova-conductor-18.3.1~dev82-3.37.6 is installed
  • OR openstack-nova-console-18.3.1~dev82-3.37.6 is installed
  • OR openstack-nova-novncproxy-18.3.1~dev82-3.37.6 is installed
  • OR openstack-nova-placement-api-18.3.1~dev82-3.37.6 is installed
  • OR openstack-nova-scheduler-18.3.1~dev82-3.37.6 is installed
  • OR openstack-nova-serialproxy-18.3.1~dev82-3.37.6 is installed
  • OR openstack-nova-vncproxy-18.3.1~dev82-3.37.6 is installed
  • OR python-Django1-1.11.29-3.25.1 is installed
  • OR python-elementpath-1.3.1-1.3.2 is installed
  • OR python-horizon-14.1.1~dev11-3.24.6 is installed
  • OR python-ironic-11.1.5~dev17-3.25.5 is installed
  • OR python-neutron-13.0.8~dev164-3.37.4 is installed
  • OR python-neutron-gbp-12.0.1~dev29-3.25.3 is installed
  • OR python-nova-18.3.1~dev82-3.37.6 is installed
  • OR python-openstack_auth-14.1.1~dev11-3.24.6 is installed
  • OR python-py-1.5.4-3.3.2 is installed
  • OR python-pysaml2-4.5.0-4.6.2 is installed
  • OR python-xmlschema-1.0.18-1.3.2 is installed
  • OR venv-openstack-barbican-x86_64-7.0.1~dev24-3.23.1 is installed
  • OR venv-openstack-cinder-x86_64-13.0.10~dev20-3.26.1 is installed
  • OR venv-openstack-designate-x86_64-7.0.2~dev2-3.23.1 is installed
  • OR venv-openstack-glance-x86_64-17.0.1~dev30-3.21.1 is installed
  • OR venv-openstack-heat-x86_64-11.0.4~dev4-3.23.1 is installed
  • OR venv-openstack-horizon-x86_64-14.1.1~dev11-4.27.3 is installed
  • OR venv-openstack-ironic-x86_64-11.1.5~dev17-4.21.2 is installed
  • OR venv-openstack-keystone-x86_64-14.2.1~dev4-3.24.3 is installed
  • OR venv-openstack-magnum-x86_64-7.2.1~dev1-4.23.1 is installed
  • OR venv-openstack-manila-x86_64-7.4.2~dev60-3.29.1 is installed
  • OR venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.23.2 is installed
  • OR venv-openstack-monasca-x86_64-2.7.1~dev10-3.21.1 is installed
  • OR venv-openstack-neutron-x86_64-13.0.8~dev164-6.27.3 is installed
  • OR venv-openstack-nova-x86_64-18.3.1~dev82-3.27.3 is installed
  • OR venv-openstack-octavia-x86_64-3.2.3~dev7-4.23.1 is installed
  • OR venv-openstack-sahara-x86_64-9.0.2~dev15-3.23.1 is installed
  • OR venv-openstack-swift-x86_64-2.19.2~dev48-2.18.1 is installed
  • BACK