SUSE: 2020:3624-1 moderate: crowbar-openstack, grafana, influxdb, python-urllib3
Summary
This update for crowbar-openstack, grafana, influxdb, python-urllib3 contains the following fixes: Security fixes included in this update: openstack-glance - CVE-2016-8611: Added rate limiting for glance api (bnc#1005886) grafana - CVE-2020-24303: Fixed an XSS via a query alias for the ElasticSearch datasource (#bnc#1178243) influxdb - CVE-2019-20933: Fixed an authentication bypass (bnc#1178988) python-urlib3 - CVE-2019-9740: Fixed a CRLF injection in urllib3 (bnc#1129071). - CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bnc#1177120) memcached - CVE-2018-1000115: Fixed a issue where a UDP server allowed spoofed traffic amplification DoS (bnc#1083903). Non-security fixes included in this update: Changes in crowbar-openstack: - Update to version 4.0+git.1604938545.30c10db18: * rabbitmq: Fix crm running check (SOC-11240) Changes in grafana: - Fix bnc#1178243 CVE-2020-24303 by adding 25401-Fix-XSS-vulnerability-with-series-overrides.patch Changes in influxdb: - Add CVE-2019-20933.patch (bnc#1178988, CVE-2019-20933) to fix authentication bypass_ - Declare license files correctly - Version 1.2.4: * The stress tool influx_stress will be removed in a subsequent release. * Remove the override of GOMAXPROCS. * Uncomment section headers from the default configuration file. * Improve write performance significantly. * Prune data in meta store for deleted shards. * Update latest dependencies with Godeps. * Introduce syntax for marking a partial response with chunking. * Use X-Forwarded-For IP address in HTTP logger if present. * Add support for secure transmission via collectd. * Switch logging to use structured logging everywhere. * [CLI feature request] USE retention policy for queries. * Add clear command to cli. * Adding ability to use parameters in queries in the v2 client using the Parameters map in the Query struct. * Allow add items to array config via ENV * Support subquery execution in the query language. * Verbose output for SSL connection errors. * Cache snapshotting performance improvements - Partially revert previous change to fix build for Leap Changes in python-urllib3: - Update urllib3-fix-test-urls.patch. Adjust to match upstream solution. - Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for CVE-2019-9740. - Add urllib3-cve-2020-26137.patch. Don't allow control chars in request method. (bnc#1177120, CVE-2020-26137) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3624=1 Package List: - SUSE OpenStack Cloud 7 (x86_64): grafana-6.7.4-1.20.1 influxdb-1.2.4-5.1 influxdb-debuginfo-1.2.4-5.1 - SUSE OpenStack Cloud 7 (noarch): crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1 python-urllib3-1.16-3.12.1
References
#1005886 #1170479 #1177120 #1178243 #1178988
SOC-11240
Cross- CVE-2016-8611 CVE-2019-20933 CVE-2019-9740
CVE-2020-24303 CVE-2020-26137
Affected Products:
SUSE OpenStack Cloud 7
https://www.suse.com/security/cve/CVE-2016-8611.html
https://www.suse.com/security/cve/CVE-2019-20933.html
https://www.suse.com/security/cve/CVE-2019-9740.html
https://www.suse.com/security/cve/CVE-2020-24303.html
https://www.suse.com/security/cve/CVE-2020-26137.html
https://bugzilla.suse.com/1005886
https://bugzilla.suse.com/1170479
https://bugzilla.suse.com/1177120
https://bugzilla.suse.com/1178243
https://bugzilla.suse.com/1178988