SUSE-SU-2018:2536-1

Source
https://www.suse.com/support/update/announcement/2018/suse-su-20182536-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:2536-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2018:2536-1
Related
Published
2018-08-28T09:05:28Z
Modified
2018-08-28T09:05:28Z
Summary
Security update for grafana, kafka, logstash and monasca-installer
Details

This update for grafana, kafka, logstash and monasca-installer fixes the following issues:

The following security issues have been fixed:

grafana:

  • CVE-2018-12099: Fix Cross-Site-Scripting (XSS) vulnerabilities in dashboard links. (bsc#1096985)

kafka:

  • CVE-2018-1288: Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss. (bsc#1102920)

logstash:

  • CVE-2018-3817: Fix potential leak of sensitive data when logging warnings about deprecated options. (bsc#1090849)

Additionally, the following non-security issues have been fixed:

monasca-installer:

  • Add complete set of elasticsearch performance tunables.
  • Update to version Build2018042714.04 (bsc#1090192, bsc#1090343)
  • Fix bad elasticsearch-curator configuration. (bsc#1090192)
  • Enable bootstrap.memory_lock for Elasticsearch. (bsc#1090343)

logstash:

  • Declare Gemfile as config to prevent loss of installed plugins when updating.
  • Stop installing prebuilt jruby for non-x86.

kafka:

  • Update to version 0.10.2.2 (bsc#1102920, CVE-2018-1288)
  • Add noreplace directive for /etc/kafka/server.properties.
  • Reduce package ownership of tmpfiles.d to bare minium. (SLE12 SP2)
  • Set log rotation options. (bsc#1094448)
  • Disable jmxremote debugging. (bsc#1095603)
  • Increase open file limits. (bsc#1086909)
References

Affected packages

SUSE:OpenStack Cloud 7 / grafana

Package

Name
grafana
Purl
pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.5.1-1.8.1

Ecosystem specific

{
    "binaries": [
        {
            "grafana": "4.5.1-1.8.1",
            "kafka": "0.10.2.2-5.1",
            "monasca-installer": "20180608_12.47-9.1",
            "logstash": "2.4.1-5.1"
        }
    ]
}

SUSE:OpenStack Cloud 7 / kafka

Package

Name
kafka
Purl
pkg:rpm/suse/kafka&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.10.2.2-5.1

Ecosystem specific

{
    "binaries": [
        {
            "grafana": "4.5.1-1.8.1",
            "kafka": "0.10.2.2-5.1",
            "monasca-installer": "20180608_12.47-9.1",
            "logstash": "2.4.1-5.1"
        }
    ]
}

SUSE:OpenStack Cloud 7 / logstash

Package

Name
logstash
Purl
pkg:rpm/suse/logstash&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.1-5.1

Ecosystem specific

{
    "binaries": [
        {
            "grafana": "4.5.1-1.8.1",
            "kafka": "0.10.2.2-5.1",
            "monasca-installer": "20180608_12.47-9.1",
            "logstash": "2.4.1-5.1"
        }
    ]
}

SUSE:OpenStack Cloud 7 / monasca-installer

Package

Name
monasca-installer
Purl
pkg:rpm/suse/monasca-installer&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20180608_12.47-9.1

Ecosystem specific

{
    "binaries": [
        {
            "grafana": "4.5.1-1.8.1",
            "kafka": "0.10.2.2-5.1",
            "monasca-installer": "20180608_12.47-9.1",
            "logstash": "2.4.1-5.1"
        }
    ]
}