SUSE Security Update: Security update for crowbar-openstack, grafana, influxdb, python-urllib3
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3624-1
Rating:             moderate
References:         #1005886 #1170479 #1177120 #1178243 #1178988 
                    SOC-11240 
Cross-References:   CVE-2016-8611 CVE-2019-20933 CVE-2019-9740
                    CVE-2020-24303 CVE-2020-26137
Affected Products:
                    SUSE OpenStack Cloud 7
______________________________________________________________________________

   An update that fixes 5 vulnerabilities, contains one
   feature is now available.

Description:

   This update for crowbar-openstack, grafana, influxdb, python-urllib3
   contains the following fixes:

   Security fixes included in this update:

   openstack-glance
   - CVE-2016-8611: Added rate limiting for glance api (bnc#1005886)

   grafana
   - CVE-2020-24303: Fixed an XSS via a query alias for the ElasticSearch
     datasource (#bnc#1178243)

   influxdb
   - CVE-2019-20933: Fixed an authentication bypass (bnc#1178988)

   python-urlib3
   - CVE-2019-9740: Fixed a CRLF injection in urllib3 (bnc#1129071).
   - CVE-2020-26137: Fixed a CRLF injection via HTTP request method
     (bnc#1177120)

   memcached
   - CVE-2018-1000115: Fixed a issue where a UDP server allowed spoofed
     traffic amplification DoS (bnc#1083903).

   Non-security fixes included in this update:

   Changes in crowbar-openstack:
   - Update to version 4.0+git.1604938545.30c10db18:
     * rabbitmq: Fix crm running check (SOC-11240)

   Changes in grafana:
   - Fix bnc#1178243 CVE-2020-24303 by adding
     25401-Fix-XSS-vulnerability-with-series-overrides.patch

   Changes in influxdb:
   - Add CVE-2019-20933.patch (bnc#1178988, CVE-2019-20933) to fix
     authentication bypass_
   - Declare license files correctly

   - Version 1.2.4:
     * The stress tool influx_stress will be removed in a subsequent release.
     * Remove the override of GOMAXPROCS.
     * Uncomment section headers from the default configuration file.
     * Improve write performance significantly.
     * Prune data in meta store for deleted shards.
     * Update latest dependencies with Godeps.
     * Introduce syntax for marking a partial response with chunking.
     * Use X-Forwarded-For IP address in HTTP logger if present.
     * Add support for secure transmission via collectd.
     * Switch logging to use structured logging everywhere.
     * [CLI feature request] USE retention policy for queries.
     * Add clear command to cli.
     * Adding ability to use parameters in queries in the v2 client using the
       Parameters map in the Query struct.
     * Allow add items to array config via ENV
     * Support subquery execution in the query language.
     * Verbose output for SSL connection errors.
     * Cache snapshotting performance improvements

   - Partially revert previous change to fix build for Leap

   Changes in python-urllib3:
   - Update urllib3-fix-test-urls.patch. Adjust to match upstream solution.

   - Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for
     CVE-2019-9740.

   - Add urllib3-cve-2020-26137.patch. Don't allow control chars in request
     method. (bnc#1177120, CVE-2020-26137)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3624=1



Package List:

   - SUSE OpenStack Cloud 7 (x86_64):

      grafana-6.7.4-1.20.1
      influxdb-1.2.4-5.1
      influxdb-debuginfo-1.2.4-5.1

   - SUSE OpenStack Cloud 7 (noarch):

      crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1
      python-urllib3-1.16-3.12.1


References:

   https://www.suse.com/security/cve/CVE-2016-8611.html
   https://www.suse.com/security/cve/CVE-2019-20933.html
   https://www.suse.com/security/cve/CVE-2019-9740.html
   https://www.suse.com/security/cve/CVE-2020-24303.html
   https://www.suse.com/security/cve/CVE-2020-26137.html
   https://bugzilla.suse.com/1005886
   https://bugzilla.suse.com/1170479
   https://bugzilla.suse.com/1177120
   https://bugzilla.suse.com/1178243
   https://bugzilla.suse.com/1178988