SUSE-SU-2020:3624-1

Source
https://www.suse.com/support/update/announcement/2020/suse-su-20203624-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2020:3624-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2020:3624-1
Related
Published
2020-12-04T11:50:23Z
Modified
2020-12-04T11:50:23Z
Summary
Security update for crowbar-openstack, grafana, influxdb, python-urllib3
Details

This update for crowbar-openstack, grafana, influxdb, python-urllib3 contains the following fixes:

Security fixes included in this update:

openstack-glance - CVE-2016-8611: Added rate limiting for glance api (bnc#1005886)

grafana - CVE-2020-24303: Fixed an XSS via a query alias for the ElasticSearch datasource (#bnc#1178243)

influxdb - CVE-2019-20933: Fixed an authentication bypass (bnc#1178988)

python-urlib3 - CVE-2019-9740: Fixed a CRLF injection in urllib3 (bnc#1129071). - CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bnc#1177120)

memcached - CVE-2018-1000115: Fixed a issue where a UDP server allowed spoofed traffic amplification DoS (bnc#1083903).

Non-security fixes included in this update:

Changes in crowbar-openstack: - Update to version 4.0+git.1604938545.30c10db18: * rabbitmq: Fix crm running check (SOC-11240)

Changes in grafana: - Fix bnc#1178243 CVE-2020-24303 by adding 25401-Fix-XSS-vulnerability-with-series-overrides.patch

Changes in influxdb: - Add CVE-2019-20933.patch (bnc#1178988, CVE-2019-20933) to fix authentication bypass_ - Declare license files correctly

  • Version 1.2.4:

    • The stress tool influx_stress will be removed in a subsequent release.
    • Remove the override of GOMAXPROCS.
    • Uncomment section headers from the default configuration file.
    • Improve write performance significantly.
    • Prune data in meta store for deleted shards.
    • Update latest dependencies with Godeps.
    • Introduce syntax for marking a partial response with chunking.
    • Use X-Forwarded-For IP address in HTTP logger if present.
    • Add support for secure transmission via collectd.
    • Switch logging to use structured logging everywhere.
    • [CLI feature request] USE retention policy for queries.
    • Add clear command to cli.
    • Adding ability to use parameters in queries in the v2 client using the Parameters map in the Query struct.
    • Allow add items to array config via ENV
    • Support subquery execution in the query language.
    • Verbose output for SSL connection errors.
    • Cache snapshotting performance improvements
  • Partially revert previous change to fix build for Leap

Changes in python-urllib3: - Update urllib3-fix-test-urls.patch. Adjust to match upstream solution.

  • Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for CVE-2019-9740.

  • Add urllib3-cve-2020-26137.patch. Don't allow control chars in request method. (bnc#1177120, CVE-2020-26137)

References

Affected packages

SUSE:OpenStack Cloud 7 / crowbar-openstack

Package

Name
crowbar-openstack
Purl
purl:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0+git.1604938545.30c10db18-9.77.1

Ecosystem specific

{
    "binaries": [
        {
            "grafana": "6.7.4-1.20.1",
            "influxdb": "1.2.4-5.1",
            "crowbar-openstack": "4.0+git.1604938545.30c10db18-9.77.1",
            "python-urllib3": "1.16-3.12.1"
        }
    ]
}

SUSE:OpenStack Cloud 7 / grafana

Package

Name
grafana
Purl
purl:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.4-1.20.1

Ecosystem specific

{
    "binaries": [
        {
            "grafana": "6.7.4-1.20.1",
            "influxdb": "1.2.4-5.1",
            "crowbar-openstack": "4.0+git.1604938545.30c10db18-9.77.1",
            "python-urllib3": "1.16-3.12.1"
        }
    ]
}

SUSE:OpenStack Cloud 7 / influxdb

Package

Name
influxdb
Purl
purl:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.4-5.1

Ecosystem specific

{
    "binaries": [
        {
            "grafana": "6.7.4-1.20.1",
            "influxdb": "1.2.4-5.1",
            "crowbar-openstack": "4.0+git.1604938545.30c10db18-9.77.1",
            "python-urllib3": "1.16-3.12.1"
        }
    ]
}

SUSE:OpenStack Cloud 7 / python-urllib3

Package

Name
python-urllib3
Purl
purl:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.16-3.12.1

Ecosystem specific

{
    "binaries": [
        {
            "grafana": "6.7.4-1.20.1",
            "influxdb": "1.2.4-5.1",
            "crowbar-openstack": "4.0+git.1604938545.30c10db18-9.77.1",
            "python-urllib3": "1.16-3.12.1"
        }
    ]
}