SUSE: 2020:3309-1 important: ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana
Summary
This update for ansible, ardana-ansible, ardana-cinder, ardana-glance,
ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack,
documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel,
openstack-cinder, openstack-monasca-installer, openstack-neutron,
openstack-nova, python-Django, python-Flask-Cors, python-Pillow,
python-ardana-packager, python-keystoneclient, python-keystonemiddleware,
python-kombu, python-straight-plugin, python-urllib3,
release-notes-suse-openstack-cloud, storm, storm-kit,
venv-openstack-cinder, venv-openstack-swift contains the following fixes:
Security fixes included in this update: ansible to 2.9.14:
- CVE-2020-1733: Fixed insecure temporary directory when running
become_user (bsc#1164140).
- CVE-2020-1753: Kubectl connection plugin - connection plugin now redact
kubectl_token and kubectl_password in console log. (bsc#1166389)
- CVE-2020-14365: Previously, regardless of the disable_gpg_check
option, packages were not GPG validated. They are now. (bsc#1175993)
- CVE-2020-14332: copy - Redact the value of the no_log 'content'
parameter in the result's invocation.module_args in check mode.
Previously when used with check mode and with '-vvv', the module would
not censor the content if a change would be made to the destination
path. (bsc#1174302)
- CVE-2020-1736: atomic_move - Change default permissions when creating
temporary files so they are not world readable (bsc#1164134).
- CVE-2020-14330: Sanitize no_log values from any response keys that
might be returned from the uri module (bsc#1174145).
- CVE-2019-14846: Reset logging level to INFO. (bsc#1153452).
- CVE-2020-10744: incomplete fix for CVE-2020-1733 (bsc#1171823).
grafana:
- CVE-2018-18623, CVE-2018-18624,CVE-2018-18625: Fixed multiple XSS
vulnerabilities in dashboard due to a incomplete fix for CVE-2018-12099
(bsc#1172450).
- CVE-2020-11110: Fixed a stored XSS (bsc#1174583).
openstack-nova:
- CVE-2020-17376: Fixed an information leak during live migration
(bsc#1175484).
python-Django to 1.11.29
- CVE-2020-7471: Fixed a SQL injection via StringAgg delimiter
(bsc#1161919).
- CVE-2020-9402: Fixed a SQL injection via tolerance parameter in GIS
functions and aggregates (bsc#1165022).
- CVE-2019-19844: Fixed a potential account hijack via password reset form
(bsc#1159447).
python-Flask-Cors - CVE-2020-25032: Fixed a potential information leak through path
traversal (bsc#1175986).
python-Pillow
- CVE-2020-10177: Fixed multiple out-of-bounds reads in
libImaging/FliDecode.c (bsc#1173413).
- CVE-2020-10994: Fixed multiple out-of-bounds reads via a crafted JP2
files (bsc#1173418).
- CVE-2020-10378: Fixed an out-of-bounds read when reading PCX files
(bsc#1173416).
python-urllib3
- CVE-2020-26137: Fixed CRLF injection via HTTP request method
(bsc#1177120)
storm:
- CVE-2018-11779: Fixed java deserialization vulnerability related to the
usage of storm-kafka-client or storm-kafka modules (bsc#1143163).
- CVE-2019-0202: Fixed an information leak related to the log viewer
(bsc#1142617).
rubygem-crowbar-client update to 3.9.3:
- CVE-2018-17954: Fixed information leak of the admin password to all
nodes in cleartext during provisioning (bsc#1117080)
Non-security fixes included on this update:
Changes in ansible:
- Update to ansible 2.9.14:
- minor bugs and fixes, including security bugs:
- CVE-2020-1753, bsc#1166389: Kubectl connection plugin - connection
plugin now redact kubectl_token and kubectl_password in console log.
- revert CVE-2020-1736. Users are encouraged to specify a mode
parameter in their file-based tasks when the files being manipulated
contain sensitive data.
- CVE-2020-14365, bsc#1175993: Previously, regardless of the
disable_gpg_check option, packages were not GPG validated. They are
now.
- CVE-2020-14332, bsc#1174302: copy - Redact the value of the no_log
'content' parameter in the result's invocation.module_args in check
mode. Previously when used with check mode and with '-vvv', the
module would not censor the content if a change would be made to the
destination path.
- CVE-2020-1736, bsc#1164134: atomic_move - Change default permissions
when creating temporary files so they are not world readable
- CVE-2020-14330, bsc#1174145: Sanitize no_log values from any
response keys that might be returned from the uri module.
- CVE-2019-14846, bsc#1153452: Reset logging level to INFO.
- CVE-2020-10744, bsc#1171823, gh#ansible/ansible#69782: incomplete
fix for CVE-2020-1733
- Remove patches included upstream:
- CVE-2020-14330_exposed_keys_uri_mod.patch
- CVE-2020-10744_avoid_mkdir_p.patch
- Don't Require python-coverage, it is needed only for testing
(bsc#1177948).
- Add CVE-2020-14330_exposed_keys_uri_mod.patch which fixes CVE-2020-14330
(bsc#1174145). Sanitize no_log values from any response keys that might
be returned from the uri module. Sensitive values marked with
``no_log=True`` will automatically have that value stripped from module
return values. If your module could return these sensitive values as
part of a dictionary key name, you should call the
``ansible.module_utils.basic.sanitize_keys()`` function to strip the
values from the keys. See the ``uri`` module for an example.
- importlib and argparse are required only on SLE-11 and less.
- Add CVE-2020-10744_avoid_mkdir_p.patch (bsc#1171823) to fix insecure
temporary directory creation.
- Add metadata information to this file to mark which SUSE bugzilla have
been already fixed.
- Remove CVE-2017-7550-jenkins-disallow-password-in-params.patch as it has
been already included in 2.4.1.0
- update to version 2.9.9
* fix for a regression introduced in 2.9.8
- update to version 2.9.8 maintenance release containing numerous bugfixes
- update to version 2.9.7 with many bug fixes, especially for these
security issues:
- bsc#1164140 CVE-2020-1733 - insecure temporary directory when running
become_user from become directive
- bsc#1164139 CVE-2020-1734 shell enabled by default in a pipe lookup
plugin subprocess
- bsc#1164137 CVE-2020-1735 - path injection on dest parameter in fetch
module
- bsc#1164134 CVE-2020-1736 atomic_move primitive sets permissive
permissions
- bsc#1164138 CVE-2020-1737 - Extract-Zip function in win_unzip module
does not check extracted path
- bsc#1164136 CVE-2020-1738 module package can be selected by the
ansible facts
- bsc#1164133 CVE-2020-1739 - svn module leaks password when specified
as a parameter
- bsc#1164135 CVE-2020-1740 - secrets readable after ansible-vault edit
- bsc#1165393 CVE-2020-1746 - information disclosure issue in ldap_attr
and ldap_entry modules
- bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks sensitive
information
- bsc#1167532 CVE-2020-10684 - code injection when using ansible_facts
as a subkey
- bsc#1167440 CVE-2020-10685 - modules which use files encrypted with
vault are not properly cleaned up
- CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy
collection install [2]
- create missing (empty) template and files directories for
'ansible-galaxy init' during package build (fixes boo#1137479)
- require python-xml on python 2 systems (boo#1142542)
- update to version 2.9.6 (maintenance release) including these security
issues:
- bsc#1171162 CVE-2020-10729 two random password lookups in same task
return same value
- update to version 2.9.5 (maintenance release)
- update to version 2.9.4 (maintenance release)
- fix in yum module
- security fixes:
- bsc#1157968 CVE-2019-14904 vulnerability in solaris_zone module via
crafted solaris zone
- bsc#1157969 CVE-2019-14905 malicious code could craft filename in
nxos_file_copy module
- update to version 2.9.3 (maintenance release)
* security fixes
- CVE-2019-14904 (solaris_zone module) (boo#1157968)
- CVE-2019-14905 (nxos_file_copy module) (boo#1157969)
* various bugfixes
- sync with upstream spec file (especially for RHEL & Fedora builds)
- ran spec-cleaner
- remove old SUSE targets (SLE-11, Leap 42.3 and below) This simplifies
the spec file and makes building easier
- Additional required packages for building:
+ python-boto3 and python-botocore for Amazon EC2
+ python-jmespath for json queries
+ python-memcached for cloud modules and local caching of JSON
formatted, per host records
+ python-redis for cloud modules and local caching of JSON formatted,
per host records
+ python-requests for many web-based modules (cloud, network, netapp) =>
as the need for those packages depends on the usage of the tool, they
are just recommended on openSUSE/SUSE machines
- made dependencies for gitlab, vmware and winrm modules configurable, as
most of their dependencies are not (yet) available on current
openSUSE/SUSE distributions
- exclude /usr/bin/pwsh from the automatic dependency generation, as the
Windows Power Shell is not available (yet) on openSUSE/SUSE
- build additional docs and split up ansible-doc package; moving
changelogs, contrib and example directories there
- prepare for building HTML documentation, but disable this per default
for the moment, as not all package dependencies are available in
openSUSE/SUSE (yet)
- package some test scripts with executable permissions
- update to version 2.9.2 maintenance release containing numerous bugfixes
- Create system directories that Ansible defines as default locations in
ansible/config/base.yml
- rephrase the summary line
- Disable shebang munging for specific paths. These files are data files.
ansible-test munges the shebangs itself.
- split out ansible-test package for module developers
- update to version 2.9.1 Full changelog is packaged at
/usr/share/doc/packages/ansible/changelogs/ and also available online at
.
9.rst
+ CVE-2019-14864: fixed Splunk and Sumologic callback plugins leak
sensitive data in logs (boo#1154830)
- replace all #!/usr/bin/env lines to use #!/usr/bin/$1 directly
- added file '/usr/bin/ansible-test' to spec file
- Update to version 2.9.0: Full changelog is packaged at
/usr/share/doc/packages/ansible/changelogs/ and also available online at
.
9.rst
- Fixed among other this security bug:
- bsc#1112959 CVE-2018-16837 Information leak in "user" module patch
added
- include the sha checksum file in the source, which allows to verify the
original sources
- Update to version 2.8.6: Full changelog is packaged at
/usr/share/doc/packages/ansible/changelogs/ and also available online at
.
8.rst Included security fixes:
* CVE-2019-14846: Fixed secrets disclosure on logs due to display is
hardcoded to DEBUG level (bsc#1153452)
* CVE-2019-14856: Fixed insufficient fix for CVE-2019-10206 (bsc#1154232)
* CVE-2019-14858: Fixed data in the sub parameter fields that will not
be masked and will be displayed when run with increased verbosity
(bsc#1154231)
- Update to version 2.8.5: Full changelog is packaged at
/usr/share/doc/packages/ansible/changelogs/ and also available online at
.
8.rst
- removed patches fixed upstream:
+ CVE-2019-10206-data-disclosure.patch
+ CVE-2019-10217-gcp-modules-sensitive-fields.patch
- Update to version 2.8.3: Full changelog is packaged, but also at
.
8.rst
- (bsc#1137528) CVE-2019-10156: ansible: templating causing an
unexpected key file to be set on remote node
- (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch
CVE-2019-10217: Fields managing sensitive data should be set as such by
no_log feature. Some of these fields in GCP modules are not set
properly. service_account_contents() which is common class for all gcp
modules is not setting no_log to True. Any sensitive data managed by
that function would be leak as an
output when running ansible playbooks.
- Update to version 2.8.1 Full changelog is at
/usr/share/doc/packages/ansible/changelogs/ Bugfixes
--------
- ACI - DO not encode query_string
- ACI modules - Fix non-signature authentication
- Add missing directory provided via ``--playbook-dir`` to adjacent
collection loading
- Fix "Interface not found" errors when using eos_l2_interface with
nonexistant interfaces configured
- Fix cannot get credential when `source_auth` set to `credential_file`.
- Fix netconf_config backup string issue
- Fix privilege escalation support for the docker connection plugin when
credentials need to be supplied (e.g. sudo with password).
- Fix vyos cli prompt inspection
- Fixed loading namespaced documentation fragments from collections.
- Fixing bug came up after running cnos_vrf module against coverity.
- Properly handle data importer failures on PVC creation, instead of
timing out.
- To fix the ios static route TC failure in CI
- To fix the nios member module params
- To fix the nios_zone module idempotency failure
- add terminal initial prompt for initial connection
- allow include_role to work with ansible command
- allow python_requirements_facts to report on dependencies containing
dashes
- asa_config fix
- azure_rm_roledefinition - fix a small error in build scope.
- azure_rm_virtualnetworkpeering - fix cross subscriptions virtual
network peering.
- cgroup_perf_recap - When not using file_per_task, make sure we don't
prematurely close the perf files
- display underlying error when reporting an invalid ``tasks:`` block.
- dnf - fix wildcard matching for state: absent
- docker connection plugin - accept version ``dev`` as 'newest version'
and print warning.
- docker_container - ``oom_killer`` and ``oom_score_adj`` options are
available since docker-py 1.8.0, not 2.0.0 as assumed by the version
check.
- docker_container - fix network creation when
``networks_cli_compatible`` is enabled.
- docker_container - use docker API's ``restart`` instead of
``stop``/``start`` to restart a container.
- docker_image - if ``build`` was not specified, the wrong default for
``build.rm`` is used.
- docker_image - if ``nocache`` set to ``yes`` but not
``build.nocache``, the module failed.
- docker_image - module failed when ``source: build`` was set but
``build.path`` options not specified.
- docker_network module - fix idempotency when using ``aux_addresses``
in ``ipam_config``.
- ec2_instance - make Name tag idempotent
- eos: don't fail modules without become set, instead show message and
continue
- eos_config: check for session support when asked to 'diff_against:
session'
- eos_eapi: fix idempotency issues when vrf was unspecified.
- fix bugs for ce - more info see
- fix incorrect uses of to_native that should be to_text instead.
- hcloud_volume - Fix idempotency when attaching a server to a volume.
- ibm_storage - Added a check for null fields in ibm_storage utils
module.
- include_tasks - whitelist ``listen`` as a valid keyword
- k8s - resource updates applied with force work correctly now
- keep results subset also when not no_log.
- meraki_switchport - improve reliability with native VLAN functionality.
- netapp_e_iscsi_target - fix netapp_e_iscsi_target chap secret size and
clearing functionality
- netapp_e_volumes - fix workload profileId indexing when no previous
workload tags exist on the storage array.
- nxos_acl some platforms/versions raise when no ACLs are present
- nxos_facts fix
References
#1008037 #1008038 #1010940 #1019021 #1038785
#1056094 #1059235 #1080682 #1097775 #1102126
#1109957 #1112959 #1117080 #1118896 #1123561
#1126503 #1137479 #1137528 #1142121 #1142542
#1144453 #1153452 #1154231 #1154232 #1154830
#1157968 #1157969 #1159447 #1161919 #1164133
#1164134 #1164135 #1164136 #1164137 #1164138
#1164139 #1164140 #1165022 #1165393 #1166389
#1167440 #1167532 #1171162 #1171823 #1172450
#1173413 #1173416 #1173418 #1174006 #1174145
#1174242 #1174302 #1174583 #1175484 #1175986
#1175993 #1177120 #1177948 SOC-10300 SOC-10522
SOC-10616 SOC-11000 SOC-11223 SOC-11342 SOC-11352
SOC-11364 SOC-11386 SOC-11389 SOC-11391 SOC-6780
SOC-9974 SOC-9998
Cross- CVE-2016-8614 CVE-2016-8628 CVE-2016-8647
CVE-2016-9587 CVE-2017-7466 CVE-2017-7550
CVE-2018-10875 CVE-2018-11779 CVE-2018-16837
CVE-2018-16859 CVE-2018-16876 CVE-2018-18623
CVE-2018-18624 CVE-2018-18625 CVE-2019-0202
CVE-2019-10156 CVE-2019-10206 CVE-2019-10217
CVE-2019-14846 CVE-2019-14856 CVE-2019-14858
CVE-2019-14864 CVE-2019-14904 CVE-2019-14905
CVE-2019-19844 CVE-2019-3828 CVE-2020-10177
CVE-2020-10378 CVE-2020-10684 CVE-2020-10685
CVE-2020-10691 CVE-2020-10729 CVE-2020-10744
CVE-2020-10994 CVE-2020-11110 CVE-2020-14330
CVE-2020-14332 CVE-2020-14365 CVE-2020-1733
CVE-2020-1734 CVE-2020-1735 CVE-2020-1736
CVE-2020-1737 CVE-2020-17376 CVE-2020-1738
CVE-2020-1739 CVE-2020-1740 CVE-2020-1746
CVE-2020-1753 CVE-2020-25032 CVE-2020-26137
CVE-2020-7471 CVE-2020-9402
Affected Products:
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud 8
HPE Helion Openstack 8
https://www.suse.com/security/cve/CVE-2016-8614.html
https://www.suse.com/security/cve/CVE-2016-8628.html
https://www.suse.com/security/cve/CVE-2016-8647.html
https://www.suse.com/security/cve/CVE-2016-9587.html
https://www.suse.com/security/cve/CVE-2017-7466.html
https://www.suse.com/security/cve/CVE-2017-7550.html
https://www.suse.com/security/cve/CVE-2018-10875.html
https://www.suse.com/security/cve/CVE-2018-11779.html
https://www.suse.com/security/cve/CVE-2018-16837.html
https://www.suse.com/security/cve/CVE-2018-16859.html
https://www.suse.com/security/cve/CVE-2018-16876.html
https://www.suse.com/security/cve/CVE-2018-18623.html
https://www.suse.com/security/cve/CVE-2018-18624.html
https://www.suse.com/security/cve/CVE-2018-18625.html
https://www.suse.com/security/cve/CVE-2019-0202.html
https://www.suse.com/security/cve/CVE-2019-10156.html
https://www.suse.com/security/cve/CVE-2019-10206.html
https://www.suse.com/security/cve/CVE-2019-10217.html
https://www.suse.com/security/cve/CVE-2019-14846.html
https://www.suse.com/security/cve/CVE-2019-14856.html
https://www.suse.com/security/cve/CVE-2019-14858.html
https://www.suse.com/security/cve/CVE-2019-14864.html
https://www.suse.com/security/cve/CVE-2019-14904.html
https://www.suse.com/security/cve/CVE-2019-14905.html
https://www.suse.com/security/cve/CVE-2019-19844.html
https://www.suse.com/security/cve/CVE-2019-3828.html
https://www.suse.com/security/cve/CVE-2020-10177.html
https://www.suse.com/security/cve/CVE-2020-10378.html
https://www.suse.com/security/cve/CVE-2020-10684.html
https://www.suse.com/security/cve/CVE-2020-10685.html
https://www.suse.com/security/cve/CVE-2020-10691.html
https://www.suse.com/security/cve/CVE-2020-10729.html
https://www.suse.com/security/cve/CVE-2020-10744.html
https://www.suse.com/security/cve/CVE-2020-10994.html
https://www.suse.com/security/cve/CVE-2020-11110.html
https://www.suse.com/security/cve/CVE-2020-14330.html
https://www.suse.com/security/cve/CVE-2020-14332.html
https://www.suse.com/security/cve/CVE-2020-14365.html
https://www.suse.com/security/cve/CVE-2020-1733.html
https://www.suse.com/security/cve/CVE-2020-1734.html
https://www.suse.com/security/cve/CVE-2020-1735.html
https://www.suse.com/security/cve/CVE-2020-1736.html
https://www.suse.com/security/cve/CVE-2020-1737.html
https://www.suse.com/security/cve/CVE-2020-17376.html
https://www.suse.com/security/cve/CVE-2020-1738.html
https://www.suse.com/security/cve/CVE-2020-1739.html
https://www.suse.com/security/cve/CVE-2020-1740.html
https://www.suse.com/security/cve/CVE-2020-1746.html
https://www.suse.com/security/cve/CVE-2020-1753.html
https://www.suse.com/security/cve/CVE-2020-25032.html
https://www.suse.com/security/cve/CVE-2020-26137.html
https://www.suse.com/security/cve/CVE-2020-7471.html
https://www.suse.com/security/cve/CVE-2020-9402.html
https://bugzilla.suse.com/1008037
https://bugzilla.suse.com/1008038
https://bugzilla.suse.com/1010940
https://bugzilla.suse.com/1019021
https://bugzilla.suse.com/1038785
https://bugzilla.suse.com/1056094
https://bugzilla.suse.com/1059235
https://bugzilla.suse.com/1080682
https://bugzilla.suse.com/1097775
https://bugzilla.suse.com/1102126
https://bugzilla.suse.com/1109957
https://bugzilla.suse.com/1112959
https://bugzilla.suse.com/1117080
https://bugzilla.suse.com/1118896
https://bugzilla.suse.com/1123561
https://bugzilla.suse.com/1126503
https://bugzilla.suse.com/1137479
https://bugzilla.suse.com/1137528
https://bugzilla.suse.com/1142121
https://bugzilla.suse.com/1142542
https://bugzilla.suse.com/1144453
https://bugzilla.suse.com/1153452
https://bugzilla.suse.com/1154231
https://bugzilla.suse.com/1154232
https://bugzilla.suse.com/1154830
https://bugzilla.suse.com/1157968
https://bugzilla.suse.com/1157969
https://bugzilla.suse.com/1159447
https://bugzilla.suse.com/1161919
https://bugzilla.suse.com/1164133
https://bugzilla.suse.com/1164134
https://bugzilla.suse.com/1164135
https://bugzilla.suse.com/1164136
https://bugzilla.suse.com/1164137
https://bugzilla.suse.com/1164138
https://bugzilla.suse.com/1164139
https://bugzilla.suse.com/1164140
https://bugzilla.suse.com/1165022
https://bugzilla.suse.com/1165393
https://bugzilla.suse.com/1166389
https://bugzilla.suse.com/1167440
https://bugzilla.suse.com/1167532
https://bugzilla.suse.com/1171162
https://bugzilla.suse.com/1171823
https://bugzilla.suse.com/1172450
https://bugzilla.suse.com/1173413
https://bugzilla.suse.com/1173416
https://bugzilla.suse.com/1173418
https://bugzilla.suse.com/1174006
https://bugzilla.suse.com/1174145
https://bugzilla.suse.com/1174242
https://bugzilla.suse.com/1174302
https://bugzilla.suse.com/1174583
https://bugzilla.suse.com/1175484
https://bugzilla.suse.com/1175986
https://bugzilla.suse.com/1175993
https://bugzilla.suse.com/1177120
https://bugzilla.suse.com/1177948