openSUSE Security Update: Security Update for openstack-dashboard ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:0078-1 Rating: moderate References: #852175 #869696 #871855 #885588 #891815 #908199 Cross-References: CVE-2013-6858 CVE-2014-0157 CVE-2014-3473 CVE-2014-3474 CVE-2014-3475 CVE-2014-3594 CVE-2014-8124 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: OpenStack Dashboard was updated to fix bugs and security issues. Full changes: - Update to version horizon-2013.2.5.dev2.g9ee7273: * fix Horizon login page DOS attack (bnc#908199, CVE-2014-8124) * update version to 2013.2.5 * Updated from global requirements * Pin docutils to 0.9.1 * Set python hash seed to 0 in tox.ini * Check host is not none in each availability zone * Fix XSS issue with the unordered_list filter (bnc#891815, CVE-2014-3594) + 0001-Use-default_project_id-for-v3-users.patch (manually) * Replace UserManager with None in tests * Update test-requirements to fix sphinx build_doc * Fix multiple Cross-Site Scripting (XSS) vulnerabilities (bnc#885588, CVE-2014-3473, CVE-2014-3474, CVE-2014-3475) * Fix issues with importing the Login form Bug 869696 - Admin password injection on Horizon Dashboard is broken. - Update to version horizon-2013.2.4.dev8.g07c097f: * Bug fix on neutron's API to return the correct target ID * Fix display of images in Rebuild Instance * Get instance networking information from Neutron * Bump stable/havana next version to 2013.2.4 * Do not release FIP on disassociate action * Introduces escaping in Horizon/Orchestration 2013.2.3 (bnc#871855, CVE-2014-0157) - Update to version horizon-2013.2.3.dev8.g3d04c3c: * Reduce number of novaclient calls * Don't copy the flavorid when updating flavors * Allow snapshots of paused and suspended instances * Fixing tests to work with keystoneclient 0.6.0 * Bump stable/havana next version to 2013.2.3 + Use upstream URL as source (enables verification) + Import translations for Havana 2013.2.2 udpate - Update to version 2013.2.2.dev29.g96bd650: + Update Transifex resource name for havana + Fix inappropriate logouts on load-balanced Horizon - Update to version 2013.2.2.dev25.g6508afd: + disable volume creation, when cinder is disabled + Bad workflow-steps check: has_required_fields + Specify tenant_id when retrieving LBaaS/VPNaaS resource - Update to version 2013.2.2.dev19.g7a8eadc: + Give HealthMonitor a proper display name - Update to version 2013.2.2.dev17.gaa55b24: + Common keystone version fallback - Move settings.py (default settings) to branding-upstream subpackage: a branding package might want to change some default settings. - add 0001-Common-keystone-version-fallback.patch, 0001-Use-default_project_id-for-v3-users.patch - Update to version 2013.2.2.dev15.g2b6dfa7: + fix help text in "Create An image" window + Change how scrollShift is calculated + unify keypair name handling - Add 0001-Give-no-background-color-to-the-pie-charts.patch: do not give a background color to pie charts. - Update to version 2013.2.2.dev9.gc6d38a1: + Wrong marker sent to keystone - Update to version 2013.2.2.dev7.g2e11482: + Adding management_url to test mock client - add 0001-Bad-workflow-steps-check-has_required_fields.patch - Make python-horizon require the 2013.2 version of python-horizon-branding (and not the 2013.2.xyz version). This makes it easier to create non-upstream branding; we already do this for the other branding subpackage. - Update to version 2013.2.2.dev6.g2c1f1f3: + Add check for BlockDeviceMappingV2 nova extension + Gracefully handle Users with no email attribute + Import install_venv from oslo + Bump stable/havana next version to 2013.2.2 - Update to version 2013.2.1.dev41.g9668e80: + Updated from global requirements - put everything under /srv/www/openstack-dashboard - Update to version 2013.2.1.dev40.g852e5c8: + Import translations for Havana 2013.2.1 udpate + Deleting statistics tables from resource usage page + Allow "Working" in spinner to be translatable + lbaas/horizon - adds tcp protocol choice when create lb + Fix a bug some optional field in LBaaS are mandatory + Fix bug so that escaped html is not shown in volume detach dialog + Role name should not be translated in Domain Groups dialog + Fix incomplete translation of "Update members" widget + Fix translatable string for "Injected File Path Bytes" + Add extra extension file to makemessage command line + Add contextual markers to BatchAction messages + Logging user out after self password change + Add logging configuration for iso8601 module + Ensure all compute meters are listed in dropdown + Fix bug by escaping strings from Nova before displaying them (bnc#852175, CVE-2013-6858) - add/use generic openstack-branding provides - Update to version 2013.2.1.dev9.g842ba5f: + Fix default port of MS SQL in security group template + Provide missing hover hints for instance:<type> meters + translate text: "subnet"/"subnet details" + Change "Tenant" to "Project" + Avoid discarding precision of metering data - Use Django's signed_cookies session backend like upstream and drop the usage of cache_db - No need to set SECRET_KEY anymore, upstream learned it too python-django_openstack_auth was updated to 1.1.3: - Various i18n fixes - Revoke tokens when logging out or changing the tenant - Run tests locally, therefore merge test package back into main - Properly build HTML documentation and install it - Add pt_BR locale - Updated (build) requirements - Add django_openstack_auth-hacking-requires.patch: hacking dep is nonsense - include tests runner - add -test subpackage Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2015-39 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (noarch): openstack-dashboard-2013.2.5.dev2.g9ee7273-4.1 openstack-dashboard-branding-upstream-2013.2.5.dev2.g9ee7273-4.1 openstack-dashboard-test-2013.2.5.dev2.g9ee7273-4.1 python-django_openstack_auth-1.1.3-4.1 python-horizon-2013.2.5.dev2.g9ee7273-4.1 python-horizon-branding-upstream-2013.2.5.dev2.g9ee7273-4.1 References: http://support.novell.com/security/cve/CVE-2013-6858.html http://support.novell.com/security/cve/CVE-2014-0157.html http://support.novell.com/security/cve/CVE-2014-3473.html http://support.novell.com/security/cve/CVE-2014-3474.html http://support.novell.com/security/cve/CVE-2014-3475.html http://support.novell.com/security/cve/CVE-2014-3594.html http://support.novell.com/security/cve/CVE-2014-8124.html https://bugzilla.suse.com/show_bug.cgi?id=852175 https://bugzilla.suse.com/show_bug.cgi?id=869696 https://bugzilla.suse.com/show_bug.cgi?id=871855 https://bugzilla.suse.com/show_bug.cgi?id=885588 https://bugzilla.suse.com/show_bug.cgi?id=891815 https://bugzilla.suse.com/show_bug.cgi?id=908199