SUSE-SU-2021:1963-1
- Source
- https://www.suse.com/support/update/announcement/2021/suse-su-20211963-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2021:1963-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2021:1963-1
- Related
- Published
- 2021-06-11T13:14:14Z
- Modified
- 2021-06-11T13:14:14Z
- Summary
- Security update for crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store
- Details
-
This update for crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store contains the following fixes:
Security fixes included in this update:
crowbar-openstack: - CVE-2016-8611: Added rate limiting for the '/images' API POST method (bsc#1005886).
grafana: - CVE-2021-27358: Fixed a denial of service via remote API call (bsc#1183803)
kibana: - CVE-2017-11499: Fixed a vulnerability in nodejs, related to the HashTable implementation, which could cause a denial of service (bsc#1044849) - CVE-2017-11481: Fixed a cross site scripting vulnerability via via URL fields (bsc#1044849)
python-Django: - CVE-2021-3281: Fixed a directory traversal via archive.extract() (bsc#1181379) - CVE-2021-28658: Fixed a directory traversal via uploaded files (bsc#1184148) - CVE-2021-31542: Fixed a directory traversal via uploaded files with suitably crafted file names (bsc#1185623) - CVE-2021-33203:Fixed potential path-traversal via admindocs' TemplateDetailView (bsc#1186608) - CVE-2021-33571: Tighten validator checks to not allow leading zeros in IPv4 addresses, which potentially leads to further attacks (bsc#1186611)
python-py: - CVE-2020-29651: Fixed a denial of service via regular expressions (bsc#1179805)
rubygem-activerecord-session_store: - CVE-2019-25025: Fixed a timing attacks targeting the session id which could allow an attack to hijack sessions (bsc#1183174)
Non-security fixes included in this update:
Changes in crowbar-openstack: - Update to version 4.0+git.1616146720.44daffca0: * monasca: restart Kibana on update (bsc#1044849)
Changes in grafana_Update: - Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358) * Prevent unauthenticated remote attackers from causing a DoS through the snapshots API.
Changes in kibana_Update: - Ensure /etc/sysconfig/kibana is present
- Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14,
ESA-2017-16)
- [4.6] ignore forked code for babel transpile build phase (#13483)
- Allow more than match queries in custom filters (#8614) (#10857)
- [state] don't make extra $location.replace() calls (#9954)
- [optimizer] move to querystring-browser package for up-to-date api
- [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls
- server: refactor log_interceptor to be more DRY (#9617)
- server: downgrade ECANCELED logs to debug (#9616)
- server: do not treat logged warnings as errors (#8746) (#9610)
- [server/logger] downgrade EPIPE errors to debug level (#9023)
- Add basepath when redirecting from a trailling slash (#9035)
- [es/kibanaIndex] use unmappedtype rather than ignoreunmapped (#8968)
- [server/shortUrl] validate urls before shortening them
- Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481)
- This fixes an XSS vulnerability in URL fields
- Remove %dir declaration from /opt/kibana/optimize to ensure no files owned by root end up in there
- Exclude /opt/kibana/optimize from %fdupes
- Restart service on upgrade
- Do not copy LICENSE.txt and README.txt to /opt/kibana
- Fix rpmlint warnings/errors
- Switch to explicit patch application
- Fix source URL
- Fix logic for systemd/systemv detection
Changes in monasca-installer_Update: - Add support-influxdb-1.2.patch (SOC-11435)
Changes in python-Django_Update: - Fixed potential path-traversal via admindocs' TemplateDetailView.(bsc#1186608, CVE-2021-33203) - Prevented leading zeros in IPv4 addresses. (bsc#1186611, CVE-2021-33571) - Add delegate-os-path-filename-generation-to-storage.patch (bsc#1185623) * Needed for CVE-2021-31542.patch to apply - Tightened path & file name sanitation in file uploads. (bsc#1185623, CVE-2021-31542) - Fixed potential directory-traversal via uploaded files. (bsc#1184148, CVE-2021-28658) - Fixes a potential directory traversal when extracting archives. (bsc#1181379, CVE-2021-3281)
Changes in python-py_Update: - Add CVE-2020-29651.patch (CVE-2020-29651, bsc#1179805) * svnwc: fix regular expression vulnerable to DoS in blame functionality - Ensure /usr/share/licenses exists
Changes in rubygem-activerecord-sessionstoreUpdate: - added CVE-2019-25025.patch (CVE-2019-25025, bsc#1183174) * This requires CVE-2019-16782.patch to be included in rubygem-actionpack-4_2 to work correctly.
- Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14,
ESA-2017-16)
- References
-
- https://www.suse.com/support/update/announcement/2021/suse-su-20211963-1/
- https://bugzilla.suse.com/1044849
- https://bugzilla.suse.com/1179805
- https://bugzilla.suse.com/1181379
- https://bugzilla.suse.com/1183803
- https://bugzilla.suse.com/1184148
- https://bugzilla.suse.com/1185623
- https://bugzilla.suse.com/1186608
- https://bugzilla.suse.com/1186611
- https://www.suse.com/security/cve/CVE-2017-11481
- https://www.suse.com/security/cve/CVE-2017-11499
- https://www.suse.com/security/cve/CVE-2019-25025
- https://www.suse.com/security/cve/CVE-2020-29651
- https://www.suse.com/security/cve/CVE-2021-27358
- https://www.suse.com/security/cve/CVE-2021-28658
- https://www.suse.com/security/cve/CVE-2021-31542
- https://www.suse.com/security/cve/CVE-2021-3281
- https://www.suse.com/security/cve/CVE-2021-33203
- https://www.suse.com/security/cve/CVE-2021-33571
Affected packages
SUSE:OpenStack Cloud 7 / crowbar-openstack
Package
- Name
- crowbar-openstack
- Purl
- purl:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.0+git.1616146720.44daffca0-9.81.2
Ecosystem specific
{
"binaries": [
{
"python-Django": "1.8.19-3.29.1",
"grafana": "6.7.4-1.24.2",
"crowbar-openstack": "4.0+git.1616146720.44daffca0-9.81.2",
"monasca-installer": "20180608_12.47-16.2",
"python-py": "1.8.1-11.16.2",
"kibana": "4.6.6-9.2",
"ruby2.1-rubygem-activerecord-session_store": "0.1.2-3.4.2"
}
]
}
SUSE:OpenStack Cloud 7 / grafana
Package
- Name
- grafana
- Purl
- purl:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.7.4-1.24.2
Ecosystem specific
{
"binaries": [
{
"python-Django": "1.8.19-3.29.1",
"grafana": "6.7.4-1.24.2",
"crowbar-openstack": "4.0+git.1616146720.44daffca0-9.81.2",
"monasca-installer": "20180608_12.47-16.2",
"python-py": "1.8.1-11.16.2",
"kibana": "4.6.6-9.2",
"ruby2.1-rubygem-activerecord-session_store": "0.1.2-3.4.2"
}
]
}
SUSE:OpenStack Cloud 7 / kibana
Package
- Name
- kibana
- Purl
- purl:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%207
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.6.6-9.2
Ecosystem specific
{
"binaries": [
{
"python-Django": "1.8.19-3.29.1",
"grafana": "6.7.4-1.24.2",
"crowbar-openstack": "4.0+git.1616146720.44daffca0-9.81.2",
"monasca-installer": "20180608_12.47-16.2",
"python-py": "1.8.1-11.16.2",
"kibana": "4.6.6-9.2",
"ruby2.1-rubygem-activerecord-session_store": "0.1.2-3.4.2"
}
]
}
SUSE:OpenStack Cloud 7 / monasca-installer
Package
- Name
- monasca-installer
- Purl
- purl:rpm/suse/monasca-installer&distro=SUSE%20OpenStack%20Cloud%207
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed20180608_12.47-16.2
Ecosystem specific
{
"binaries": [
{
"python-Django": "1.8.19-3.29.1",
"grafana": "6.7.4-1.24.2",
"crowbar-openstack": "4.0+git.1616146720.44daffca0-9.81.2",
"monasca-installer": "20180608_12.47-16.2",
"python-py": "1.8.1-11.16.2",
"kibana": "4.6.6-9.2",
"ruby2.1-rubygem-activerecord-session_store": "0.1.2-3.4.2"
}
]
}
SUSE:OpenStack Cloud 7 / python-Django
Package
- Name
- python-Django
- Purl
- purl:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.8.19-3.29.1
Ecosystem specific
{
"binaries": [
{
"python-Django": "1.8.19-3.29.1",
"grafana": "6.7.4-1.24.2",
"crowbar-openstack": "4.0+git.1616146720.44daffca0-9.81.2",
"monasca-installer": "20180608_12.47-16.2",
"python-py": "1.8.1-11.16.2",
"kibana": "4.6.6-9.2",
"ruby2.1-rubygem-activerecord-session_store": "0.1.2-3.4.2"
}
]
}
SUSE:OpenStack Cloud 7 / python-py
Package
- Name
- python-py
- Purl
- purl:rpm/suse/python-py&distro=SUSE%20OpenStack%20Cloud%207
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.8.1-11.16.2
Ecosystem specific
{
"binaries": [
{
"python-Django": "1.8.19-3.29.1",
"grafana": "6.7.4-1.24.2",
"crowbar-openstack": "4.0+git.1616146720.44daffca0-9.81.2",
"monasca-installer": "20180608_12.47-16.2",
"python-py": "1.8.1-11.16.2",
"kibana": "4.6.6-9.2",
"ruby2.1-rubygem-activerecord-session_store": "0.1.2-3.4.2"
}
]
}
SUSE:OpenStack Cloud 7 / rubygem-activerecord-session_store
Package
- Name
- rubygem-activerecord-session_store
- Purl
- purl:rpm/suse/rubygem-activerecord-session_store&distro=SUSE%20OpenStack%20Cloud%207
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.1.2-3.4.2
Ecosystem specific
{
"binaries": [
{
"python-Django": "1.8.19-3.29.1",
"grafana": "6.7.4-1.24.2",
"crowbar-openstack": "4.0+git.1616146720.44daffca0-9.81.2",
"monasca-installer": "20180608_12.47-16.2",
"python-py": "1.8.1-11.16.2",
"kibana": "4.6.6-9.2",
"ruby2.1-rubygem-activerecord-session_store": "0.1.2-3.4.2"
}
]
}