SUSE Security Update: Security update for ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-notes-suse-openstack-cloud
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:1729-1
Rating:             important
References:         #1118088 #1179534 #1184177 #1186380 #1189390 
                    #1189794 #1192070 #1192073 #1192075 #1193597 
                    #1193688 #1193752 #1194521 #1194551 #1194552 
                    #1194952 #1194954 #1199138 SOC-11620 SOC-11621 
                    
Cross-References:   CVE-2018-19787 CVE-2020-27783 CVE-2021-28957
                    CVE-2021-38155 CVE-2021-40085 CVE-2021-41182
                    CVE-2021-41183 CVE-2021-41184 CVE-2021-43813
                    CVE-2021-43818 CVE-2021-44716 CVE-2022-22815
                    CVE-2022-22816 CVE-2022-22817 CVE-2022-23451
                    CVE-2022-23452 CVE-2022-29970
CVSS scores:
                    CVE-2018-19787 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2018-19787 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
                    CVE-2020-27783 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2020-27783 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2021-28957 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2021-28957 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2021-38155 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-40085 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-41182 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2021-41182 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
                    CVE-2021-41183 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2021-41183 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
                    CVE-2021-41184 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2021-41184 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
                    CVE-2021-43813 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2021-43813 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2021-43818 (NVD) : 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
                    CVE-2021-43818 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
                    CVE-2021-44716 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-44716 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-22815 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
                    CVE-2022-22815 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
                    CVE-2022-22816 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
                    CVE-2022-22816 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
                    CVE-2022-22817 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-22817 (SUSE): 4.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
                    CVE-2022-23451 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
                    CVE-2022-23452 (SUSE): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
                    CVE-2022-29970 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2022-29970 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:
                    SUSE OpenStack Cloud 9
                    SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________

   An update that solves 17 vulnerabilities, contains two
   features and has one errata is now available.

Description:

   This update for ardana-barbican, grafana, openstack-barbican,
   openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui,
   openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml,
   release-notes-suse-openstack-cloud fixes the following issues:

   Security fixes included on the update:

   ardana-barbican:

   - Update policies to protect container secret access (SOC-11621)
   - Update policies to protect secret metadata access (SOC-11620)

   openstack-neutron:

   - CVE-2021-40085: Fixed arbitrary dnsmasq reconfiguration via
     extra_dhcp_opts (bsc#1189794).

   rubygem-sinatra:

   - CVE-2022-29970: Fixed path traversal possible outside of public_dir when
     serving static files (bsc#1199138).

   python-XStatic-jquery-ui:

   - CVE-2021-41182: Fixed XSS in the `altField` option of the Datepicker
     widget (bsc#1192070)
   - CVE-2021-41183: Fixed XSS in the `of` option of the `.position()` util
     (bsc#1192073)
   - CVE-2021-41184: Fixed XSS in `*Text` options of the Datepicker widget
     (bsc#1192075)

   python-lxml:

   - CVE-2018-19787: Fixed that the lxml.html.clean module does remove
     javascript in lxml/html/clean.py (bsc#1118088).
   - CVE-2020-27783: Fixed mXSS due to the use of improper parser
     (bsc#1179534).
   - CVE-2021-28957: Fixed missing input sanitization for formaction HTML5
     attributes that may have led to XSS (bsc#1184177).
   - CVE-2021-43818: Fixed HTML Cleaner that allowed crafted and SVG embedded
     scripts to pass through (bsc#1193752).

   openstack-barbican:

   - CVE-2022-23451: Disallows authenticated users to add/modify/delete
     arbitrary metadata on any secret (bsc#1194952).
   - CVE-2022-23452: Disallows anyone with an admin role to add their secrets
     to a different project's containers (bsc#1194954).

   grafana:

   - CVE-2021-44716: Fixed net/http: limit growth of header canonicalization
     cache (bsc#1193597).

   openstack-keystone:

   - CVE-2021-38155: Fixed information disclosure during account locking
     (bsc#1189390).

   Non-security fixes included on the update:

   Changes in ardana-barbican:
   - Update to version 9.0+git.1644879908.8a641c1:
     * Update policies to protect container secret access (SOC-11621)

   - Update to version 9.0+git.1643052417.9a3348e:
     * update policies to protect secret metadata access (SOC-11620)

   Changes in grafana:
   - Add CVE-2021-43813.patch (bsc#1193688, CVE-2021-43813)
     * directory traversal vulnerability for .md files

   - Bump Go to 1.16 (bsc#1193597, CVE-2021-44716)
     * Fix Go net/http: limit growth of header canonicalization cache

   Changes in openstack-barbican:
   - Add patches
     (0001-Fix-RBAC-and-ACL-access-for-managing-secret-containe.patch and
     0001-Fix-policy-for-adding-a-secret-to-a-container.patch) to fix the
     legacy policy rules for adding a secret to a container and removing a
     secret from a container. bsc#1194954,CVE-2022-23452

   - Add patch (0001-Fix-secret-metadata-access-rules.patch) to fix the
     legacy policy rules for accessing secret metadata by checking that the
     user making the request is authenticated for the project that
     owns the secret. bsc#1194952,CVE-2022-23451

   Changes in openstack-cinder:
   - Update to version cinder-13.0.10.dev24:
     * Correct group:reset\_group\_snapshot\_status policy

   Changes in openstack-cinder:
   - Update to version cinder-13.0.10.dev24:
     * Correct group:reset\_group\_snapshot\_status policy

   Changes in openstack-heat-gbp:
   - Update to version group-based-policy-automation-14.0.1.dev4:
     * Add support for yoga

   - Update to version group-based-policy-automation-14.0.1.dev3:
     * Python2/3 compatibility fixes

   - Update to version group-based-policy-automation-14.0.1.dev2:
     * Add support for xena

   - Update to version group-based-policy-automation-14.0.1.dev1:
     * Remove py27 from gate jobs 14.0.0

   Changes in openstack-horizon-plugin-gbp-ui:
   - Update to version group-based-policy-ui-14.0.1.dev3:
     * Add support for yoga

   - Update to version group-based-policy-ui-14.0.1.dev2:
     * Python2/3 compatibility changes

   - Update to version group-based-policy-ui-14.0.1.dev1:
     * Add support for xena 14.0.0

   Changes in openstack-ironic:
   - Update to version ironic-11.1.5.dev18:
     * Cleanup stable/rocky legacy jobs

   Changes in openstack-ironic:
   - Update to version ironic-11.1.5.dev18:
     * Cleanup stable/rocky legacy jobs

   Changes in openstack-keystone:
   - Update to version keystone-14.2.1.dev9:
     * Delete system role assignments from system\_assignment table

   Changes in openstack-keystone:
   - Add patch (0001-Hide-AccountLocked-exception-from-end-users.patch) to
     fix the problem where AccountLocked exception discloses sensitive
     information. bsc#1189390,CVE-2021-38155

   - Update to version keystone-14.2.1.dev9:
     * Delete system role assignments from system\_assignment table

   Changes in openstack-neutron-gbp:
   - Update to version group-based-policy-14.0.1.dev33:
     * Populate network mtu for erspan

   - Update to version group-based-policy-14.0.1.dev32:
     * ERSPAN config error when Openstack port is created in a different
       project than network it belongs to 2014.2.rc1

   - Update to version group-based-policy-14.0.1.dev31:
     * Python2/3 compatibility fixes 2014.2.0rc1

   - Update to version group-based-policy-14.0.1.dev29:
     * Fix oslo\_i18n usage

   - Update to version group-based-policy-14.0.1.dev27:
     * Update mechanism\_driver cache 2014.2.rc1

   - Update to version group-based-policy-14.0.1.dev26:
     * Add support for xena

   - Update to version group-based-policy-14.0.1.dev24:
     * update\_floatingip\_status\_while\_deleting\_the\_vm

   - Update to version group-based-policy-14.0.1.dev22:
     * Updating host id by appending pid in existing host id 2014.2.0rc1

   - Update to version group-based-policy-14.0.1.dev20:
     * Revert "Add workaround to get\_subnets"

   Changes in python-lxml:
   - Fix bsc#1179534 (CVE-2020-27783) mXSS due to the use of improper parser
     Patch files: 0001-CVE-2020-27783.patch 0002-CVE-2020-27783.patch
   - Fix bsc#1118088 (CVE-2018-19787) lxml/html/clean.py in the
     lxml.html.clean module does not remove javascript: URLs that use
     escaping, allowing a remote attacker to conduct XSS attacks Patch file:
     0001-CVE-2018-19787.patch
   - Fix bsc#1184177 (CVE-2021-28957) missing input sanitization for
     formaction HTML5 attributes may lead to XSS Patch file:
     0001-CVE-2021-28957.patch
   - Fix bsc#1193752 (CVE-2021-43818) Cleaner: Remove SVG image data URLs
     since they can embed script content. Reported as GHSL-2021-1037 and
     GHSL-2021-1038 Patch files 0001-CVE-2021-43818.patch
     0002-CVE-2021-43818.patch

   Changes in openstack-neutron-doc:
   - Update to version neutron-13.0.8.dev206:
     * Wait longer before deleting DPDK vhu trunk bridges

   - Update to version neutron-13.0.8.dev205:
     * Do no use "--strict" for OF deletion in TRANSIENT\_TABLE

   - Update to version neutron-13.0.8.dev203:
     * Populate self.floating\_ips\_dict using "ip rule" information

   - Update to version neutron-13.0.8.dev201:
     * [Functional] Wait for the initial state of ha router before test
     * Don't setup bridge controller if it is already set

   - Update to version neutron-13.0.8.dev198:
     * Remove dhcp\_extra\_opt name after first newline character

   - Update to version neutron-13.0.8.dev196:
     * [L3] Use processing queue for network update events
     * Add extra logs to the network update callback in L3 agent

   - Update to version neutron-13.0.8.dev192:
     * Remove dhcp\_extra\_opt value after first newline character

   - Update to version neutron-13.0.8.dev190:
     * Don't use singleton in routes.middleware.RoutesMiddleware

   - Update to version neutron-13.0.8.dev189:
     * Fix notify listener syntax for SEGMENT\_HOST\_MAPPING

   - Update to version neutron-13.0.8.dev188:
     * Clean port forwarding cache when router is DOWN

   - Update to version neutron-13.0.8.dev186:
     * Remove FIP agent's gw port when L3 agent is deleted

   - Update to version neutron-13.0.8.dev184:
     * Force to close http connection after notify about HA router status

   - Update to version neutron-13.0.8.dev183:
     * Don't configure dnsmasq entries for "network" ports

   - Update to version neutron-13.0.8.dev181:
     * Exclude fallback tunnel devices from netns cleanup

   - Update to version neutron-13.0.8.dev180:
     * [DVR] Send allowed address pairs info to the L3 agents
     * designate: allow PTR zone creation to fail
     * Don't try to create default SG when security groups are disabled

   - Update to version neutron-13.0.8.dev174:
     * Fix update of trunk subports during live migration

   - Update to version neutron-13.0.8.dev172:
     * [ovs fw] Restrict IPv6 NA and DHCP(v6) IP and MAC source addresses

   - Update to version neutron-13.0.8.dev170:
     * Call install\_ingress\_direct\_goto\_flows() when ovs restarts

   - Update to version neutron-13.0.8.dev168:
     * Fix multicast traffic with IGMP snooping enabled

   - Update to version neutron-13.0.8.dev166:
     * Fix OVS conjunctive IP flows cleanup

   Changes in openstack-neutron:
   - Update to version neutron-13.0.8.dev206:
     * Wait longer before deleting DPDK vhu trunk bridges

   - Update to version neutron-13.0.8.dev205:
     * Do no use "--strict" for OF deletion in TRANSIENT\_TABLE

   - Update to version neutron-13.0.8.dev203:
     * Populate self.floating\_ips\_dict using "ip rule" information

   - Update to version neutron-13.0.8.dev201:
     * [Functional] Wait for the initial state of ha router before test
     * Don't setup bridge controller if it is already set

   - Update to version neutron-13.0.8.dev198:
     * Remove dhcp\_extra\_opt name after first newline character

   - Update to version neutron-13.0.8.dev196:
     * [L3] Use processing queue for network update events
     * Add extra logs to the network update callback in L3 agent

   - Remove cve-2021-40085-stable-rocky.patch (merged upstream)

   - Update to version neutron-13.0.8.dev192:
     * Remove dhcp\_extra\_opt value after first newline character

   - Update to version neutron-13.0.8.dev190:
     * Don't use singleton in routes.middleware.RoutesMiddleware

   - Update to version neutron-13.0.8.dev189:
     * Fix notify listener syntax for SEGMENT\_HOST\_MAPPING

   - Add cve-2021-40085-stable-rocky.patch (bsc#1189794, CVE-2021-40085)
     * Remove dhcp_extra_opt value after first newline character

   - Update to version neutron-13.0.8.dev188:
     * Clean port forwarding cache when router is DOWN

   - Update to version neutron-13.0.8.dev186:
     * Remove FIP agent's gw port when L3 agent is deleted

   - Update to version neutron-13.0.8.dev184:
     * Force to close http connection after notify about HA router status

   - Update to version neutron-13.0.8.dev183:
     * Don't configure dnsmasq entries for "network" ports

   - Update to version neutron-13.0.8.dev181:
     * Exclude fallback tunnel devices from netns cleanup

   - Update to version neutron-13.0.8.dev180:
     * [DVR] Send allowed address pairs info to the L3 agents
     * designate: allow PTR zone creation to fail
     * Don't try to create default SG when security groups are disabled

   - Update to version neutron-13.0.8.dev174:
     * Fix update of trunk subports during live migration

   - Update to version neutron-13.0.8.dev172:
     * [ovs fw] Restrict IPv6 NA and DHCP(v6) IP and MAC source addresses

   - Update to version neutron-13.0.8.dev170:
     * Call install\_ingress\_direct\_goto\_flows() when ovs restarts

   - Update to version neutron-13.0.8.dev168:
     * Fix multicast traffic with IGMP snooping enabled

   - Update to version neutron-13.0.8.dev166:
     * Fix OVS conjunctive IP flows cleanup

   Changes in python-Pillow:
   - Add 030-CVE-2022-22817.patch
      * From upstream, backported
      * Fixes CVE-2022-22817, bsc#1194521
      * test from upstream updated for python2

   - Add 028-CVE-2022-22815.patch
      * From upstream, backported
      * Fixes CVE-2022-22815, bsc#1194552
   - Add 029-CVE-2022-22816.patch
      * From upstream, backported
      * Fixes CVE-2022-22816, bsc#1194551

   Changes in python-XStatic-jquery-ui:
   - Update to version 1.13.0.1 (bsc#1192070, CVE-2021-41182, bsc#1192073,
     CVE-2021-41184, bsc#1192075,  CVE-2021-41183)
       * Fix XSS in the altField option of the Datepicker widget
         (CVE-2021-41182)
       * Fix XSS in *Text options of the Datepicker widget (CVE-2021-41183)
       * Fix XSS in the of option of the .position() util (CVE-2021-41184)
       * Drop support for Query 1.7
       * Accordion: allow function parameter for selecting header elements
       * Datepicker: add optional onUpdateDatepicker callback

   Changes in release-notes-suse-openstack-cloud:
   - Update to version 9.20220413:
     * Update release notes to indicate support for SES7
   - Update to version 9.20220112:
     * Add reference to keystone bcrypt issue to known limitations
       (bsc#1186380)

   Changes in rubygem-sinatra:
   - Add CVE-2022-29970.patch (bsc#1199138, CVE-2022-29970)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-1729=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2022-1729=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      grafana-6.7.4-3.26.1
      grafana-debuginfo-6.7.4-3.26.1
      python-Pillow-5.2.0-3.17.1
      python-Pillow-debuginfo-5.2.0-3.17.1
      python-Pillow-debugsource-5.2.0-3.17.1
      python-lxml-4.2.4-3.3.1
      python-lxml-debuginfo-4.2.4-3.3.1
      python-lxml-debugsource-4.2.4-3.3.1
      ruby2.1-rubygem-sinatra-1.4.6-4.3.1

   - SUSE OpenStack Cloud Crowbar 9 (noarch):

      openstack-barbican-7.0.1~dev24-3.14.1
      openstack-barbican-api-7.0.1~dev24-3.14.1
      openstack-barbican-keystone-listener-7.0.1~dev24-3.14.1
      openstack-barbican-retry-7.0.1~dev24-3.14.1
      openstack-barbican-worker-7.0.1~dev24-3.14.1
      openstack-cinder-13.0.10~dev24-3.34.2
      openstack-cinder-api-13.0.10~dev24-3.34.2
      openstack-cinder-backup-13.0.10~dev24-3.34.2
      openstack-cinder-scheduler-13.0.10~dev24-3.34.2
      openstack-cinder-volume-13.0.10~dev24-3.34.2
      openstack-heat-gbp-14.0.1~dev4-3.9.1
      openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1
      openstack-ironic-11.1.5~dev18-3.28.2
      openstack-ironic-api-11.1.5~dev18-3.28.2
      openstack-ironic-conductor-11.1.5~dev18-3.28.2
      openstack-keystone-14.2.1~dev9-3.28.2
      openstack-neutron-13.0.8~dev206-3.40.1
      openstack-neutron-dhcp-agent-13.0.8~dev206-3.40.1
      openstack-neutron-gbp-14.0.1~dev33-3.31.1
      openstack-neutron-ha-tool-13.0.8~dev206-3.40.1
      openstack-neutron-l3-agent-13.0.8~dev206-3.40.1
      openstack-neutron-linuxbridge-agent-13.0.8~dev206-3.40.1
      openstack-neutron-macvtap-agent-13.0.8~dev206-3.40.1
      openstack-neutron-metadata-agent-13.0.8~dev206-3.40.1
      openstack-neutron-metering-agent-13.0.8~dev206-3.40.1
      openstack-neutron-openvswitch-agent-13.0.8~dev206-3.40.1
      openstack-neutron-server-13.0.8~dev206-3.40.1
      python-XStatic-jquery-ui-1.13.0.1-4.3.1
      python-barbican-7.0.1~dev24-3.14.1
      python-cinder-13.0.10~dev24-3.34.2
      python-heat-gbp-14.0.1~dev4-3.9.1
      python-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1
      python-ironic-11.1.5~dev18-3.28.2
      python-keystone-14.2.1~dev9-3.28.2
      python-neutron-13.0.8~dev206-3.40.1
      python-neutron-gbp-14.0.1~dev33-3.31.1
      release-notes-suse-openstack-cloud-9.20220413-3.30.1

   - SUSE OpenStack Cloud 9 (noarch):

      ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1
      openstack-barbican-7.0.1~dev24-3.14.1
      openstack-barbican-api-7.0.1~dev24-3.14.1
      openstack-barbican-keystone-listener-7.0.1~dev24-3.14.1
      openstack-barbican-retry-7.0.1~dev24-3.14.1
      openstack-barbican-worker-7.0.1~dev24-3.14.1
      openstack-cinder-13.0.10~dev24-3.34.2
      openstack-cinder-api-13.0.10~dev24-3.34.2
      openstack-cinder-backup-13.0.10~dev24-3.34.2
      openstack-cinder-scheduler-13.0.10~dev24-3.34.2
      openstack-cinder-volume-13.0.10~dev24-3.34.2
      openstack-heat-gbp-14.0.1~dev4-3.9.1
      openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1
      openstack-ironic-11.1.5~dev18-3.28.2
      openstack-ironic-api-11.1.5~dev18-3.28.2
      openstack-ironic-conductor-11.1.5~dev18-3.28.2
      openstack-keystone-14.2.1~dev9-3.28.2
      openstack-neutron-13.0.8~dev206-3.40.1
      openstack-neutron-dhcp-agent-13.0.8~dev206-3.40.1
      openstack-neutron-gbp-14.0.1~dev33-3.31.1
      openstack-neutron-ha-tool-13.0.8~dev206-3.40.1
      openstack-neutron-l3-agent-13.0.8~dev206-3.40.1
      openstack-neutron-linuxbridge-agent-13.0.8~dev206-3.40.1
      openstack-neutron-macvtap-agent-13.0.8~dev206-3.40.1
      openstack-neutron-metadata-agent-13.0.8~dev206-3.40.1
      openstack-neutron-metering-agent-13.0.8~dev206-3.40.1
      openstack-neutron-openvswitch-agent-13.0.8~dev206-3.40.1
      openstack-neutron-server-13.0.8~dev206-3.40.1
      python-XStatic-jquery-ui-1.13.0.1-4.3.1
      python-barbican-7.0.1~dev24-3.14.1
      python-cinder-13.0.10~dev24-3.34.2
      python-heat-gbp-14.0.1~dev4-3.9.1
      python-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1
      python-ironic-11.1.5~dev18-3.28.2
      python-keystone-14.2.1~dev9-3.28.2
      python-neutron-13.0.8~dev206-3.40.1
      python-neutron-gbp-14.0.1~dev33-3.31.1
      release-notes-suse-openstack-cloud-9.20220413-3.30.1
      venv-openstack-barbican-x86_64-7.0.1~dev24-3.35.2
      venv-openstack-cinder-x86_64-13.0.10~dev24-3.38.1
      venv-openstack-designate-x86_64-7.0.2~dev2-3.35.1
      venv-openstack-glance-x86_64-17.0.1~dev30-3.33.1
      venv-openstack-heat-x86_64-11.0.4~dev4-3.35.1
      venv-openstack-horizon-x86_64-14.1.1~dev11-4.39.1
      venv-openstack-ironic-x86_64-11.1.5~dev18-4.33.1
      venv-openstack-keystone-x86_64-14.2.1~dev9-3.36.1
      venv-openstack-magnum-x86_64-7.2.1~dev1-4.35.1
      venv-openstack-manila-x86_64-7.4.2~dev60-3.41.1
      venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.35.1
      venv-openstack-monasca-x86_64-2.7.1~dev10-3.37.1
      venv-openstack-neutron-x86_64-13.0.8~dev206-6.39.1
      venv-openstack-nova-x86_64-18.3.1~dev91-3.39.1
      venv-openstack-octavia-x86_64-3.2.3~dev7-4.35.1
      venv-openstack-sahara-x86_64-9.0.2~dev15-3.35.1
      venv-openstack-swift-x86_64-2.19.2~dev48-2.30.1

   - SUSE OpenStack Cloud 9 (x86_64):

      grafana-6.7.4-3.26.1
      grafana-debuginfo-6.7.4-3.26.1
      python-Pillow-5.2.0-3.17.1
      python-Pillow-debuginfo-5.2.0-3.17.1
      python-Pillow-debugsource-5.2.0-3.17.1
      python-lxml-4.2.4-3.3.1
      python-lxml-debuginfo-4.2.4-3.3.1
      python-lxml-debugsource-4.2.4-3.3.1


References:

   https://www.suse.com/security/cve/CVE-2018-19787.html
   https://www.suse.com/security/cve/CVE-2020-27783.html
   https://www.suse.com/security/cve/CVE-2021-28957.html
   https://www.suse.com/security/cve/CVE-2021-38155.html
   https://www.suse.com/security/cve/CVE-2021-40085.html
   https://www.suse.com/security/cve/CVE-2021-41182.html
   https://www.suse.com/security/cve/CVE-2021-41183.html
   https://www.suse.com/security/cve/CVE-2021-41184.html
   https://www.suse.com/security/cve/CVE-2021-43813.html
   https://www.suse.com/security/cve/CVE-2021-43818.html
   https://www.suse.com/security/cve/CVE-2021-44716.html
   https://www.suse.com/security/cve/CVE-2022-22815.html
   https://www.suse.com/security/cve/CVE-2022-22816.html
   https://www.suse.com/security/cve/CVE-2022-22817.html
   https://www.suse.com/security/cve/CVE-2022-23451.html
   https://www.suse.com/security/cve/CVE-2022-23452.html
   https://www.suse.com/security/cve/CVE-2022-29970.html
   https://bugzilla.suse.com/1118088
   https://bugzilla.suse.com/1179534
   https://bugzilla.suse.com/1184177
   https://bugzilla.suse.com/1186380
   https://bugzilla.suse.com/1189390
   https://bugzilla.suse.com/1189794
   https://bugzilla.suse.com/1192070
   https://bugzilla.suse.com/1192073
   https://bugzilla.suse.com/1192075
   https://bugzilla.suse.com/1193597
   https://bugzilla.suse.com/1193688
   https://bugzilla.suse.com/1193752
   https://bugzilla.suse.com/1194521
   https://bugzilla.suse.com/1194551
   https://bugzilla.suse.com/1194552
   https://bugzilla.suse.com/1194952
   https://bugzilla.suse.com/1194954
   https://bugzilla.suse.com/1199138

SUSE: 2022:1729-1 important: ardana-barbican, grafana, openstack-barbican, openstack-cinde

May 18, 2022
An update that solves 17 vulnerabilities, contains two features and has one errata is now available

Summary

This update for ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-notes-suse-openstack-cloud fixes the following issues: Security fixes included on the update: ardana-barbican: - Update policies to protect container secret access (SOC-11621) - Update policies to protect secret metadata access (SOC-11620) openstack-neutron: - CVE-2021-40085: Fixed arbitrary dnsmasq reconfiguration via extra_dhcp_opts (bsc#1189794). rubygem-sinatra: - CVE-2022-29970: Fixed path traversal possible outside of public_dir when serving static files (bsc#1199138). python-XStatic-jquery-ui: - CVE-2021-41182: Fixed XSS in the `altField` option of the Datepicker widget (bsc#1192070) - CVE-2021-41183: Fixed XSS in the `of` option of the `.position()` util (bsc#1192073) - CVE-2021-41184: Fixed XSS in `*Text` options of the Datepicker widget (bsc#1192075) python-lxml: - CVE-2018-19787: Fixed that the lxml.html.clean module does remove javascript in lxml/html/clean.py (bsc#1118088). - CVE-2020-27783: Fixed mXSS due to the use of improper parser (bsc#1179534). - CVE-2021-28957: Fixed missing input sanitization for formaction HTML5 attributes that may have led to XSS (bsc#1184177). - CVE-2021-43818: Fixed HTML Cleaner that allowed crafted and SVG embedded scripts to pass through (bsc#1193752). openstack-barbican: - CVE-2022-23451: Disallows authenticated users to add/modify/delete arbitrary metadata on any secret (bsc#1194952). - CVE-2022-23452: Disallows anyone with an admin role to add their secrets to a different project's containers (bsc#1194954). grafana: - CVE-2021-44716: Fixed net/http: limit growth of header canonicalization cache (bsc#1193597). openstack-keystone: - CVE-2021-38155: Fixed information disclosure during account locking (bsc#1189390). Non-security fixes included on the update: Changes in ardana-barbican: - Update to version 9.0+git.1644879908.8a641c1: * Update policies to protect container secret access (SOC-11621) - Update to version 9.0+git.1643052417.9a3348e: * update policies to protect secret metadata access (SOC-11620) Changes in grafana: - Add CVE-2021-43813.patch (bsc#1193688, CVE-2021-43813) * directory traversal vulnerability for .md files - Bump Go to 1.16 (bsc#1193597, CVE-2021-44716) * Fix Go net/http: limit growth of header canonicalization cache Changes in openstack-barbican: - Add patches (0001-Fix-RBAC-and-ACL-access-for-managing-secret-containe.patch and 0001-Fix-policy-for-adding-a-secret-to-a-container.patch) to fix the legacy policy rules for adding a secret to a container and removing a secret from a container. bsc#1194954,CVE-2022-23452 - Add patch (0001-Fix-secret-metadata-access-rules.patch) to fix the legacy policy rules for accessing secret metadata by checking that the user making the request is authenticated for the project that owns the secret. bsc#1194952,CVE-2022-23451 Changes in openstack-cinder: - Update to version cinder-13.0.10.dev24: * Correct group:reset\_group\_snapshot\_status policy Changes in openstack-cinder: - Update to version cinder-13.0.10.dev24: * Correct group:reset\_group\_snapshot\_status policy Changes in openstack-heat-gbp: - Update to version group-based-policy-automation-14.0.1.dev4: * Add support for yoga - Update to version group-based-policy-automation-14.0.1.dev3: * Python2/3 compatibility fixes - Update to version group-based-policy-automation-14.0.1.dev2: * Add support for xena - Update to version group-based-policy-automation-14.0.1.dev1: * Remove py27 from gate jobs 14.0.0 Changes in openstack-horizon-plugin-gbp-ui: - Update to version group-based-policy-ui-14.0.1.dev3: * Add support for yoga - Update to version group-based-policy-ui-14.0.1.dev2: * Python2/3 compatibility changes - Update to version group-based-policy-ui-14.0.1.dev1: * Add support for xena 14.0.0 Changes in openstack-ironic: - Update to version ironic-11.1.5.dev18: * Cleanup stable/rocky legacy jobs Changes in openstack-ironic: - Update to version ironic-11.1.5.dev18: * Cleanup stable/rocky legacy jobs Changes in openstack-keystone: - Update to version keystone-14.2.1.dev9: * Delete system role assignments from system\_assignment table Changes in openstack-keystone: - Add patch (0001-Hide-AccountLocked-exception-from-end-users.patch) to fix the problem where AccountLocked exception discloses sensitive information. bsc#1189390,CVE-2021-38155 - Update to version keystone-14.2.1.dev9: * Delete system role assignments from system\_assignment table Changes in openstack-neutron-gbp: - Update to version group-based-policy-14.0.1.dev33: * Populate network mtu for erspan - Update to version group-based-policy-14.0.1.dev32: * ERSPAN config error when Openstack port is created in a different project than network it belongs to 2014.2.rc1 - Update to version group-based-policy-14.0.1.dev31: * Python2/3 compatibility fixes 2014.2.0rc1 - Update to version group-based-policy-14.0.1.dev29: * Fix oslo\_i18n usage - Update to version group-based-policy-14.0.1.dev27: * Update mechanism\_driver cache 2014.2.rc1 - Update to version group-based-policy-14.0.1.dev26: * Add support for xena - Update to version group-based-policy-14.0.1.dev24: * update\_floatingip\_status\_while\_deleting\_the\_vm - Update to version group-based-policy-14.0.1.dev22: * Updating host id by appending pid in existing host id 2014.2.0rc1 - Update to version group-based-policy-14.0.1.dev20: * Revert "Add workaround to get\_subnets" Changes in python-lxml: - Fix bsc#1179534 (CVE-2020-27783) mXSS due to the use of improper parser Patch files: 0001-CVE-2020-27783.patch 0002-CVE-2020-27783.patch - Fix bsc#1118088 (CVE-2018-19787) lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks Patch file: 0001-CVE-2018-19787.patch - Fix bsc#1184177 (CVE-2021-28957) missing input sanitization for formaction HTML5 attributes may lead to XSS Patch file: 0001-CVE-2021-28957.patch - Fix bsc#1193752 (CVE-2021-43818) Cleaner: Remove SVG image data URLs since they can embed script content. Reported as GHSL-2021-1037 and GHSL-2021-1038 Patch files 0001-CVE-2021-43818.patch 0002-CVE-2021-43818.patch Changes in openstack-neutron-doc: - Update to version neutron-13.0.8.dev206: * Wait longer before deleting DPDK vhu trunk bridges - Update to version neutron-13.0.8.dev205: * Do no use "--strict" for OF deletion in TRANSIENT\_TABLE - Update to version neutron-13.0.8.dev203: * Populate self.floating\_ips\_dict using "ip rule" information - Update to version neutron-13.0.8.dev201: * [Functional] Wait for the initial state of ha router before test * Don't setup bridge controller if it is already set - Update to version neutron-13.0.8.dev198: * Remove dhcp\_extra\_opt name after first newline character - Update to version neutron-13.0.8.dev196: * [L3] Use processing queue for network update events * Add extra logs to the network update callback in L3 agent - Update to version neutron-13.0.8.dev192: * Remove dhcp\_extra\_opt value after first newline character - Update to version neutron-13.0.8.dev190: * Don't use singleton in routes.middleware.RoutesMiddleware - Update to version neutron-13.0.8.dev189: * Fix notify listener syntax for SEGMENT\_HOST\_MAPPING - Update to version neutron-13.0.8.dev188: * Clean port forwarding cache when router is DOWN - Update to version neutron-13.0.8.dev186: * Remove FIP agent's gw port when L3 agent is deleted - Update to version neutron-13.0.8.dev184: * Force to close http connection after notify about HA router status - Update to version neutron-13.0.8.dev183: * Don't configure dnsmasq entries for "network" ports - Update to version neutron-13.0.8.dev181: * Exclude fallback tunnel devices from netns cleanup - Update to version neutron-13.0.8.dev180: * [DVR] Send allowed address pairs info to the L3 agents * designate: allow PTR zone creation to fail * Don't try to create default SG when security groups are disabled - Update to version neutron-13.0.8.dev174: * Fix update of trunk subports during live migration - Update to version neutron-13.0.8.dev172: * [ovs fw] Restrict IPv6 NA and DHCP(v6) IP and MAC source addresses - Update to version neutron-13.0.8.dev170: * Call install\_ingress\_direct\_goto\_flows() when ovs restarts - Update to version neutron-13.0.8.dev168: * Fix multicast traffic with IGMP snooping enabled - Update to version neutron-13.0.8.dev166: * Fix OVS conjunctive IP flows cleanup Changes in openstack-neutron: - Update to version neutron-13.0.8.dev206: * Wait longer before deleting DPDK vhu trunk bridges - Update to version neutron-13.0.8.dev205: * Do no use "--strict" for OF deletion in TRANSIENT\_TABLE - Update to version neutron-13.0.8.dev203: * Populate self.floating\_ips\_dict using "ip rule" information - Update to version neutron-13.0.8.dev201: * [Functional] Wait for the initial state of ha router before test * Don't setup bridge controller if it is already set - Update to version neutron-13.0.8.dev198: * Remove dhcp\_extra\_opt name after first newline character - Update to version neutron-13.0.8.dev196: * [L3] Use processing queue for network update events * Add extra logs to the network update callback in L3 agent - Remove cve-2021-40085-stable-rocky.patch (merged upstream) - Update to version neutron-13.0.8.dev192: * Remove dhcp\_extra\_opt value after first newline character - Update to version neutron-13.0.8.dev190: * Don't use singleton in routes.middleware.RoutesMiddleware - Update to version neutron-13.0.8.dev189: * Fix notify listener syntax for SEGMENT\_HOST\_MAPPING - Add cve-2021-40085-stable-rocky.patch (bsc#1189794, CVE-2021-40085) * Remove dhcp_extra_opt value after first newline character - Update to version neutron-13.0.8.dev188: * Clean port forwarding cache when router is DOWN - Update to version neutron-13.0.8.dev186: * Remove FIP agent's gw port when L3 agent is deleted - Update to version neutron-13.0.8.dev184: * Force to close http connection after notify about HA router status - Update to version neutron-13.0.8.dev183: * Don't configure dnsmasq entries for "network" ports - Update to version neutron-13.0.8.dev181: * Exclude fallback tunnel devices from netns cleanup - Update to version neutron-13.0.8.dev180: * [DVR] Send allowed address pairs info to the L3 agents * designate: allow PTR zone creation to fail * Don't try to create default SG when security groups are disabled - Update to version neutron-13.0.8.dev174: * Fix update of trunk subports during live migration - Update to version neutron-13.0.8.dev172: * [ovs fw] Restrict IPv6 NA and DHCP(v6) IP and MAC source addresses - Update to version neutron-13.0.8.dev170: * Call install\_ingress\_direct\_goto\_flows() when ovs restarts - Update to version neutron-13.0.8.dev168: * Fix multicast traffic with IGMP snooping enabled - Update to version neutron-13.0.8.dev166: * Fix OVS conjunctive IP flows cleanup Changes in python-Pillow: - Add 030-CVE-2022-22817.patch * From upstream, backported * Fixes CVE-2022-22817, bsc#1194521 * test from upstream updated for python2 - Add 028-CVE-2022-22815.patch * From upstream, backported * Fixes CVE-2022-22815, bsc#1194552 - Add 029-CVE-2022-22816.patch * From upstream, backported * Fixes CVE-2022-22816, bsc#1194551 Changes in python-XStatic-jquery-ui: - Update to version 1.13.0.1 (bsc#1192070, CVE-2021-41182, bsc#1192073, CVE-2021-41184, bsc#1192075, CVE-2021-41183) * Fix XSS in the altField option of the Datepicker widget (CVE-2021-41182) * Fix XSS in *Text options of the Datepicker widget (CVE-2021-41183) * Fix XSS in the of option of the .position() util (CVE-2021-41184) * Drop support for Query 1.7 * Accordion: allow function parameter for selecting header elements * Datepicker: add optional onUpdateDatepicker callback Changes in release-notes-suse-openstack-cloud: - Update to version 9.20220413: * Update release notes to indicate support for SES7 - Update to version 9.20220112: * Add reference to keystone bcrypt issue to known limitations (bsc#1186380) Changes in rubygem-sinatra: - Add CVE-2022-29970.patch (bsc#1199138, CVE-2022-29970) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-1729=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2022-1729=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): grafana-6.7.4-3.26.1 grafana-debuginfo-6.7.4-3.26.1 python-Pillow-5.2.0-3.17.1 python-Pillow-debuginfo-5.2.0-3.17.1 python-Pillow-debugsource-5.2.0-3.17.1 python-lxml-4.2.4-3.3.1 python-lxml-debuginfo-4.2.4-3.3.1 python-lxml-debugsource-4.2.4-3.3.1 ruby2.1-rubygem-sinatra-1.4.6-4.3.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): openstack-barbican-7.0.1~dev24-3.14.1 openstack-barbican-api-7.0.1~dev24-3.14.1 openstack-barbican-keystone-listener-7.0.1~dev24-3.14.1 openstack-barbican-retry-7.0.1~dev24-3.14.1 openstack-barbican-worker-7.0.1~dev24-3.14.1 openstack-cinder-13.0.10~dev24-3.34.2 openstack-cinder-api-13.0.10~dev24-3.34.2 openstack-cinder-backup-13.0.10~dev24-3.34.2 openstack-cinder-scheduler-13.0.10~dev24-3.34.2 openstack-cinder-volume-13.0.10~dev24-3.34.2 openstack-heat-gbp-14.0.1~dev4-3.9.1 openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1 openstack-ironic-11.1.5~dev18-3.28.2 openstack-ironic-api-11.1.5~dev18-3.28.2 openstack-ironic-conductor-11.1.5~dev18-3.28.2 openstack-keystone-14.2.1~dev9-3.28.2 openstack-neutron-13.0.8~dev206-3.40.1 openstack-neutron-dhcp-agent-13.0.8~dev206-3.40.1 openstack-neutron-gbp-14.0.1~dev33-3.31.1 openstack-neutron-ha-tool-13.0.8~dev206-3.40.1 openstack-neutron-l3-agent-13.0.8~dev206-3.40.1 openstack-neutron-linuxbridge-agent-13.0.8~dev206-3.40.1 openstack-neutron-macvtap-agent-13.0.8~dev206-3.40.1 openstack-neutron-metadata-agent-13.0.8~dev206-3.40.1 openstack-neutron-metering-agent-13.0.8~dev206-3.40.1 openstack-neutron-openvswitch-agent-13.0.8~dev206-3.40.1 openstack-neutron-server-13.0.8~dev206-3.40.1 python-XStatic-jquery-ui-1.13.0.1-4.3.1 python-barbican-7.0.1~dev24-3.14.1 python-cinder-13.0.10~dev24-3.34.2 python-heat-gbp-14.0.1~dev4-3.9.1 python-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1 python-ironic-11.1.5~dev18-3.28.2 python-keystone-14.2.1~dev9-3.28.2 python-neutron-13.0.8~dev206-3.40.1 python-neutron-gbp-14.0.1~dev33-3.31.1 release-notes-suse-openstack-cloud-9.20220413-3.30.1 - SUSE OpenStack Cloud 9 (noarch): ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1 openstack-barbican-7.0.1~dev24-3.14.1 openstack-barbican-api-7.0.1~dev24-3.14.1 openstack-barbican-keystone-listener-7.0.1~dev24-3.14.1 openstack-barbican-retry-7.0.1~dev24-3.14.1 openstack-barbican-worker-7.0.1~dev24-3.14.1 openstack-cinder-13.0.10~dev24-3.34.2 openstack-cinder-api-13.0.10~dev24-3.34.2 openstack-cinder-backup-13.0.10~dev24-3.34.2 openstack-cinder-scheduler-13.0.10~dev24-3.34.2 openstack-cinder-volume-13.0.10~dev24-3.34.2 openstack-heat-gbp-14.0.1~dev4-3.9.1 openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1 openstack-ironic-11.1.5~dev18-3.28.2 openstack-ironic-api-11.1.5~dev18-3.28.2 openstack-ironic-conductor-11.1.5~dev18-3.28.2 openstack-keystone-14.2.1~dev9-3.28.2 openstack-neutron-13.0.8~dev206-3.40.1 openstack-neutron-dhcp-agent-13.0.8~dev206-3.40.1 openstack-neutron-gbp-14.0.1~dev33-3.31.1 openstack-neutron-ha-tool-13.0.8~dev206-3.40.1 openstack-neutron-l3-agent-13.0.8~dev206-3.40.1 openstack-neutron-linuxbridge-agent-13.0.8~dev206-3.40.1 openstack-neutron-macvtap-agent-13.0.8~dev206-3.40.1 openstack-neutron-metadata-agent-13.0.8~dev206-3.40.1 openstack-neutron-metering-agent-13.0.8~dev206-3.40.1 openstack-neutron-openvswitch-agent-13.0.8~dev206-3.40.1 openstack-neutron-server-13.0.8~dev206-3.40.1 python-XStatic-jquery-ui-1.13.0.1-4.3.1 python-barbican-7.0.1~dev24-3.14.1 python-cinder-13.0.10~dev24-3.34.2 python-heat-gbp-14.0.1~dev4-3.9.1 python-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1 python-ironic-11.1.5~dev18-3.28.2 python-keystone-14.2.1~dev9-3.28.2 python-neutron-13.0.8~dev206-3.40.1 python-neutron-gbp-14.0.1~dev33-3.31.1 release-notes-suse-openstack-cloud-9.20220413-3.30.1 venv-openstack-barbican-x86_64-7.0.1~dev24-3.35.2 venv-openstack-cinder-x86_64-13.0.10~dev24-3.38.1 venv-openstack-designate-x86_64-7.0.2~dev2-3.35.1 venv-openstack-glance-x86_64-17.0.1~dev30-3.33.1 venv-openstack-heat-x86_64-11.0.4~dev4-3.35.1 venv-openstack-horizon-x86_64-14.1.1~dev11-4.39.1 venv-openstack-ironic-x86_64-11.1.5~dev18-4.33.1 venv-openstack-keystone-x86_64-14.2.1~dev9-3.36.1 venv-openstack-magnum-x86_64-7.2.1~dev1-4.35.1 venv-openstack-manila-x86_64-7.4.2~dev60-3.41.1 venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.35.1 venv-openstack-monasca-x86_64-2.7.1~dev10-3.37.1 venv-openstack-neutron-x86_64-13.0.8~dev206-6.39.1 venv-openstack-nova-x86_64-18.3.1~dev91-3.39.1 venv-openstack-octavia-x86_64-3.2.3~dev7-4.35.1 venv-openstack-sahara-x86_64-9.0.2~dev15-3.35.1 venv-openstack-swift-x86_64-2.19.2~dev48-2.30.1 - SUSE OpenStack Cloud 9 (x86_64): grafana-6.7.4-3.26.1 grafana-debuginfo-6.7.4-3.26.1 python-Pillow-5.2.0-3.17.1 python-Pillow-debuginfo-5.2.0-3.17.1 python-Pillow-debugsource-5.2.0-3.17.1 python-lxml-4.2.4-3.3.1 python-lxml-debuginfo-4.2.4-3.3.1 python-lxml-debugsource-4.2.4-3.3.1

References

#1118088 #1179534 #1184177 #1186380 #1189390

#1189794 #1192070 #1192073 #1192075 #1193597

#1193688 #1193752 #1194521 #1194551 #1194552

#1194952 #1194954 #1199138 SOC-11620 SOC-11621

Cross- CVE-2018-19787 CVE-2020-27783 CVE-2021-28957

CVE-2021-38155 CVE-2021-40085 CVE-2021-41182

CVE-2021-41183 CVE-2021-41184 CVE-2021-43813

CVE-2021-43818 CVE-2021-44716 CVE-2022-22815

CVE-2022-22816 CVE-2022-22817 CVE-2022-23451

CVE-2022-23452 CVE-2022-29970

CVSS scores:

CVE-2018-19787 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2018-19787 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVE-2020-27783 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2020-27783 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2021-28957 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2021-28957 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2021-38155 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2021-40085 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-41182 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2021-41182 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVE-2021-41183 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2021-41183 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVE-2021-41184 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2021-41184 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVE-2021-43813 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE-2021-43813 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE-2021-43818 (NVD) : 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVE-2021-43818 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CVE-2021-44716 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2021-44716 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-22815 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVE-2022-22815 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2022-22816 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVE-2022-22816 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2022-22817 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22817 (SUSE): 4.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVE-2022-23451 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVE-2022-23452 (SUSE): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CVE-2022-29970 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-29970 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:

SUSE OpenStack Cloud 9

SUSE OpenStack Cloud Crowbar 9

https://www.suse.com/security/cve/CVE-2018-19787.html

https://www.suse.com/security/cve/CVE-2020-27783.html

https://www.suse.com/security/cve/CVE-2021-28957.html

https://www.suse.com/security/cve/CVE-2021-38155.html

https://www.suse.com/security/cve/CVE-2021-40085.html

https://www.suse.com/security/cve/CVE-2021-41182.html

https://www.suse.com/security/cve/CVE-2021-41183.html

https://www.suse.com/security/cve/CVE-2021-41184.html

https://www.suse.com/security/cve/CVE-2021-43813.html

https://www.suse.com/security/cve/CVE-2021-43818.html

https://www.suse.com/security/cve/CVE-2021-44716.html

https://www.suse.com/security/cve/CVE-2022-22815.html

https://www.suse.com/security/cve/CVE-2022-22816.html

https://www.suse.com/security/cve/CVE-2022-22817.html

https://www.suse.com/security/cve/CVE-2022-23451.html

https://www.suse.com/security/cve/CVE-2022-23452.html

https://www.suse.com/security/cve/CVE-2022-29970.html

https://bugzilla.suse.com/1118088

https://bugzilla.suse.com/1179534

https://bugzilla.suse.com/1184177

https://bugzilla.suse.com/1186380

https://bugzilla.suse.com/1189390

https://bugzilla.suse.com/1189794

https://bugzilla.suse.com/1192070

https://bugzilla.suse.com/1192073

https://bugzilla.suse.com/1192075

https://bugzilla.suse.com/1193597

https://bugzilla.suse.com/1193688

https://bugzilla.suse.com/1193752

https://bugzilla.suse.com/1194521

https://bugzilla.suse.com/1194551

https://bugzilla.suse.com/1194552

https://bugzilla.suse.com/1194952

https://bugzilla.suse.com/1194954

https://bugzilla.suse.com/1199138

Severity
Announcement ID: SUSE-SU-2022:1729-1
Rating: important

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved