openSUSE Security Update : openstack (openSUSE-2013-237)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The Openstack Stack components were updated to Folsom level as of
March 5th.

Changes in openstack-cinder :

- Update 12.3 packages to Folsom as of March 5th. This
comes with security fixes and bug fixes that we need to
have OpenStack work nicely. Fix bnc#802278.

- Update cinder-config-update.diff: update
etc/cinder/api-paste.ini to have a signing_dir key under
[filter:authtoken]. Otherwise, cinder-api won't start.
This was done with commit de289a6 in Grizzly.

- Update to version 2012.2.4+git.1362502414.95a620b :

+ Check for non-default volume name template.

+ Fix error for extra specs update with empty body.

- Update to version 2012.2.4+git.1361527687.68de70d :

+ Add a safe_minidom_parse_string function.
(CVE-2013-1664)

- Set auth_strategy to keystone for a good out-of-the-box
experience

- Add cinder-config-update.diff: move configuration
changes to a patch, instead of using sed.

- Update to version 2012.2.4+git.1360133755.a8caa79 :

+ Final versioning for 2012.2.3

+ Bump version to 2012.2.4

+ Fix typo in cinder/db/api.py

- Update to version 2012.2.3+git.1358429029.cdf6c13 :

+ Add commands used by NFS volume driver to rootwrap

Changes in openstack-dashboard :

- Update 12.3 packages to Folsom as of March 5th. This
comes with security fixes and bug fixes that we need to
have OpenStack work nicely. Fix bnc#802278.

- Backport packaging changes we did for Grizzly to fix
theming :

+ define a production %bcond_with that will determine
whether offline compression is used or not.

+ if not using the production feature, have a nodejs
Requires.

+ move compression steps to %prep.

+ by default, use the non-production mode for greater
flexibility.

- Do not use 'SUSE Cloud' as site branding: this is not
SUSE Cloud.

- Update to version 2012.2.4+git.1362503968.8ece3c7 :

+ pin django to 1.4.x stream

- Update to version 2012.2.4+git.1361527741.0a42fa0 :

+ Prevent the user from creating a single IP address sized
network

+ Add UTC offset information to the timezone

- Update to version 2012.2.4+git.1360133827.f421145 :

+ Final versioning for 2012.2.3

+ Bump version to 2012.2.4

- Update to version 2012.2.2+git.1359111868.20fa0fc :

+ Pin docutils to 0.9.1, fix pep8 errors

+ Fix bug 1055929 - Can not display usage data for Quota
Summary.

+ Revert 'Temp fix for api/keystone.py'

+ Specify floating ips table action column's width

+ Allow setting nova quotas to unlimited

+ Add a check for unlimited quotas

+ Avoid cinder calls, when cinder is unavailable

+ Don't inherit from base.html in 500 error page

+ Don't show the EC2 Credentials panel if there is no EC2
service

- Drop horizon-ssl.patch: merged upstream.

Changes in openstack-glance :

- Do not return location in headers (CVE-2013-1840)

- This fixes bnc#808626.

- Update 12.3 packages to Folsom as of March 5th. This
comes with· security fixes and bug fixes that we
need to have OpenStack work nicely. Fix bnc#802278.

- Update to version 2012.2.4+git.1362583521.1fb759d :

+ Swallow UserWarning from glance-cache-manage

+ Avoid dangling partial image on size/checksum mismatch

- Update to version 2012.2.4+git.1362503824.afe6166 :

+ Fix broken JSON schemas in v2 tests

+ Prints list-cached dates in isoformat

- Update to version 2012.2.4+git.1360133885.98d9928 :

+ Bump version to 2012.2.4

- Update to version 2012.2.3+git.1359529730.a5b0f4e :

+ Change useexisting to extend_existing to fix deprecation
warnings.

+ Remove Swift location/password from messages.
(CVE-2013-0212)

Changes in openstack-keystone :

- Update 12.3 packages to Folsom as of March 5th. This
comes with· security fixes and bug fixes that we
need to have OpenStack work nicely. Fix bnc#802278.

- fix logging.conf to be about keystone and have absolute
path

- Update to version 2012.2.4+git.1362502288.8690166 :

+ Sync timeutils to pick up normalize fix.

+ Backport of fix for 24-hour failure of pki.

- Update to version 2012.2.4+git.1361527873.37b3532 :

+ Disable XML entity parsing (CVE-2013-1664,
CVE-2013-1665)

+ Ensure user and tenant enabled in EC2 (CVE-2013-0282)

- Update to version 2012.2.4+git.1360133921.82c87e5 :

+ Bump version to 2012.2.4

+ Add size validations for /tokens. (CVE-2013-0247)

- Update to version 2012.2.3+git.1359550485.ec7b94d :

+ Test 0.2.0 keystoneclient to avoid new deps

+ Unparseable endpoint URL's should raise friendly error

+ Fix catalog when services have no URL

+ Render content-type appropriate 404 (bug 1089987)

- fix last commit's hash tag in Version

Changes in openstack-nova :

- Add quotas for fixed ips. (CVE-2013-1838)

- Update to version 2012.2.3+git.1358515929.3545a7d :

+ Add NFS to the libvirt volume driver list

+ Call plug_vifs() for all instances in init_host

+ Fix addition of CPU features when running against legacy
libvirt

+ Fix typo in resource tracker audit message

- Move back to 'git_tarballs' source service.

- Start using obs-service-github_tarballs

- Update to version 2012.2.3+git.1358434328.a41b913 :

+ Provide better error message for aggregate-create

+ Fix errors in used_limits extension

+ Add an iptables mangle rule per-bridge for DHCP.

+ Limit formatting routes when adding resources

- Update 12.3 packages to Folsom as of March 5th. This
comes with· security fixes and bug fixes that we
need to have OpenStack work nicely. Fix bnc#802278.

- Install polkit rules file in
/usr/share/polkit-1/rules.d/ since it's not a
configuration file, and use 10 instead of 50 as priority
to make sure it is taken into account.

- Update to version 2012.2.4+git.1362583574.da38af5 :

+ VNC Token Validation (CVE-2013-0335)

- Update to version 2012.2.4+git.1362502642.8c4df00 :

+ Ensure we add a new line when appending to rc.local

+ Handle compute node not available for live migration

+ remove intermediate libvirt downloaded images

- Add openstack-nova-polkit.rules: polkit rules for the
new polkit that uses JavaScript. On openSUSE 12.3 and
later, we install this file in /etc/polkit-1/rules.d/
instead of installing the pkla file which is of no use
with the new polkit.

- Update to version 2012.2.4+git.1361527907.d5e7f55 :

+ Avoid stuck task_state on snapshot image failure

+ Add a safe_minidom_parse_string function.
(CVE-2013-1664)

+ Enable libvirt to work with NoopFirewallDriver

+ Fix state sync logic related to the PAUSED VM state

+ libvirt: Fix nova-compute start when missing ip.

- Update to version 2012.2.4+git.1360133953.e5d0f4b :

+ Final versioning for 2012.2.3

+ Bump version to 2012.2.4

- Update to version 2012.2.3+git.1359529791.317cc0a :

+ remove session parameter from fixed_ip_get

+ Eliminate race conditions in floating association

+ Fix to include error message in instance faults

+ disallow boot from volume from specifying arbitrary
volumes (CVE-2013-0208)

- Update to version 2012.2.3+git.1359111576.03c3e9b :

+ Ensure that Quantum uses configured fixed IP

+ Makes sure compute doesn't crash on failed resume.

- Update to version 2012.2.3+git.1358515929.3545a7d :

+ Add NFS to the libvirt volume driver list

+ Call plug_vifs() for all instances in init_host

+ Fix addition of CPU features when running against legacy
libvirt

+ Fix typo in resource tracker audit message

- Move back to 'git_tarballs' source service.

- Start using obs-service-github_tarballs

- Update to version 2012.2.3+git.1358434328.a41b913 :

+ Provide better error message for aggregate-create

+ Fix errors in used_limits extension

+ Add an iptables mangle rule per-bridge for DHCP.

+ Limit formatting routes when adding resources

Changes in openstack-quantum :

- Update 12.3 packages to Folsom as of March 5th. This
comes with· security fixes and bug fixes that we
need to have OpenStack work nicely. Fix bnc#802278.

- Update to version 2012.2.4+git.1362583635.f94b149 :

+ L3 port delete prevention: do not raise if no IP on port

- Update to version 2012.2.4+git.1362504084.06e42f8 :

+ Close file descriptors when executing sub-processes

+ Persist updated expiration time

- Update to version 2012.2.4+git.1361527969.4de49b4 :

+ only destroy single namespace if router_id is set

+ Enable OVS and NETNS utilities to perform logging

+ Disable dhcp_domain distribution when dhcp_domain is
empty

+ Shorten the DHCP default resync_interval

- Update to version 2012.2.4+git.1360134016.d2a85e6 :

+ Final versioning for 2012.2.3

+ Bump version to 2012.2.4

- Update to version 2012.2.3+git.1359529852.a84ba7e :

+ Regression caused by commit b56c2c998

+ LinuxBridge: update status according to admin_state_up

+ Ensure that correct root helper is used

Changes in openstack-quickstart :

- Update 12.3 packages to Folsom as of March 5th. This
comes with· security fixes and bug fixes that we
need to have OpenStack work nicely. Fix bnc#802278.

- Update to latest git (cb0fbe8) :

+ Enalbe Cinder and Swift Service endpoints

+ Setup Cinder properly

- Update to latest git (95d7088) :

+ Fill in values in the cinder/api-paste.ini templatae

Changes in openstack-swift :

- Update to version 1.7.4.1+git.1359529903.0ce3e1d :

+ Use pypi for python-swiftclient dependency.

- Update 12.3 packages to Folsom as of March 5th. This
comes with· security fixes and bug fixes that we
need to have OpenStack work nicely. Fix bnc#802278.

- Update to version 1.7.4.1+git.1359529903.0ce3e1d :

+ Use pypi for python-swiftclient dependency.

Changes in python-cinderclient :

- Update 12.3 packages to Folsom as of March 5th. This
comes with· security fixes and bug fixes that we
need to have OpenStack work nicely. Fix bnc#802278.

- Add compat-newer-requests.patch: take patches from
upstream to allow working with newer versions of
python-requests.

Changes in python-django_openstack_auth :

- Update 12.3 packages to Folsom as of March 5th. This
comes with· security fixes and bug fixes that we
need to have OpenStack work nicely. Fix bnc#802278.

- Update to version 1.0.6 :

+ Fix compatibility with keystoneclient v0.2.

- Changes from version 1.0.5 :

+ Improves error handling; fixes failing test.

Changes in python-keystoneclient :

- Update 12.3 packages to Folsom as of March 5th. This
comes with· security fixes and bug fixes that we
need to have OpenStack work nicely. Fix bnc#802278.

- Add compat-newer-requests.patch: take patches from
upstream to allow working with newer versions of
python-requests.

See also :

https://bugzilla.novell.com/show_bug.cgi?id=802278
https://bugzilla.novell.com/show_bug.cgi?id=808622
https://bugzilla.novell.com/show_bug.cgi?id=808626

Solution :

Update the affected openstack packages.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 74936 ()

Bugtraq ID:

CVE ID: CVE-2013-0208
CVE-2013-0212
CVE-2013-0247
CVE-2013-0282
CVE-2013-0335
CVE-2013-1664
CVE-2013-1665
CVE-2013-1838
CVE-2013-1840

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now