Mailinglist Archive: opensuse-updates (89 mails)

< Previous Next >
openSUSE-SU-2015:0078-1: moderate: Security Update for openstack-dashboard
openSUSE Security Update: Security Update for openstack-dashboard
______________________________________________________________________________

Announcement ID: openSUSE-SU-2015:0078-1
Rating: moderate
References: #852175 #869696 #871855 #885588 #891815 #908199

Cross-References: CVE-2013-6858 CVE-2014-0157 CVE-2014-3473
CVE-2014-3474 CVE-2014-3475 CVE-2014-3594
CVE-2014-8124
Affected Products:
openSUSE 13.1
______________________________________________________________________________

An update that fixes 7 vulnerabilities is now available.

Description:


OpenStack Dashboard was updated to fix bugs and security issues.

Full changes:
- Update to version horizon-2013.2.5.dev2.g9ee7273:
* fix Horizon login page DOS attack (bnc#908199, CVE-2014-8124)
* update version to 2013.2.5
* Updated from global requirements
* Pin docutils to 0.9.1
* Set python hash seed to 0 in tox.ini
* Check host is not none in each availability zone
* Fix XSS issue with the unordered_list filter (bnc#891815,
CVE-2014-3594)
+ 0001-Use-default_project_id-for-v3-users.patch (manually)
* Replace UserManager with None in tests
* Update test-requirements to fix sphinx build_doc
* Fix multiple Cross-Site Scripting (XSS) vulnerabilities (bnc#885588,
CVE-2014-3473, CVE-2014-3474, CVE-2014-3475)
* Fix issues with importing the Login form

Bug 869696 - Admin password injection on Horizon Dashboard is broken.

- Update to version horizon-2013.2.4.dev8.g07c097f:
* Bug fix on neutron's API to return the correct target ID
* Fix display of images in Rebuild Instance
* Get instance networking information from Neutron
* Bump stable/havana next version to 2013.2.4
* Do not release FIP on disassociate action
* Introduces escaping in Horizon/Orchestration 2013.2.3 (bnc#871855,
CVE-2014-0157)

- Update to version horizon-2013.2.3.dev8.g3d04c3c:
* Reduce number of novaclient calls
* Don't copy the flavorid when updating flavors
* Allow snapshots of paused and suspended instances
* Fixing tests to work with keystoneclient 0.6.0
* Bump stable/havana next version to 2013.2.3
+ Use upstream URL as source (enables verification)
+ Import translations for Havana 2013.2.2 udpate

- Update to version 2013.2.2.dev29.g96bd650:
+ Update Transifex resource name for havana
+ Fix inappropriate logouts on load-balanced Horizon

- Update to version 2013.2.2.dev25.g6508afd:
+ disable volume creation, when cinder is disabled
+ Bad workflow-steps check: has_required_fields
+ Specify tenant_id when retrieving LBaaS/VPNaaS resource

- Update to version 2013.2.2.dev19.g7a8eadc:
+ Give HealthMonitor a proper display name

- Update to version 2013.2.2.dev17.gaa55b24:
+ Common keystone version fallback

- Move settings.py (default settings) to branding-upstream subpackage: a
branding package might want to change some default settings.

- add 0001-Common-keystone-version-fallback.patch,
0001-Use-default_project_id-for-v3-users.patch

- Update to version 2013.2.2.dev15.g2b6dfa7:
+ fix help text in "Create An image" window
+ Change how scrollShift is calculated
+ unify keypair name handling

- Add 0001-Give-no-background-color-to-the-pie-charts.patch: do not give a
background color to pie charts.

- Update to version 2013.2.2.dev9.gc6d38a1:
+ Wrong marker sent to keystone

- Update to version 2013.2.2.dev7.g2e11482:
+ Adding management_url to test mock client

- add 0001-Bad-workflow-steps-check-has_required_fields.patch

- Make python-horizon require the 2013.2 version of
python-horizon-branding (and not the 2013.2.xyz version). This makes it
easier to create non-upstream branding; we already do this for the other
branding subpackage.

- Update to version 2013.2.2.dev6.g2c1f1f3:
+ Add check for BlockDeviceMappingV2 nova extension
+ Gracefully handle Users with no email attribute
+ Import install_venv from oslo
+ Bump stable/havana next version to 2013.2.2

- Update to version 2013.2.1.dev41.g9668e80:
+ Updated from global requirements

- put everything under /srv/www/openstack-dashboard

- Update to version 2013.2.1.dev40.g852e5c8:
+ Import translations for Havana 2013.2.1 udpate
+ Deleting statistics tables from resource usage page
+ Allow "Working" in spinner to be translatable
+ lbaas/horizon - adds tcp protocol choice when create lb
+ Fix a bug some optional field in LBaaS are mandatory
+ Fix bug so that escaped html is not shown in volume detach dialog
+ Role name should not be translated in Domain Groups dialog
+ Fix incomplete translation of "Update members" widget
+ Fix translatable string for "Injected File Path Bytes"
+ Add extra extension file to makemessage command line
+ Add contextual markers to BatchAction messages
+ Logging user out after self password change
+ Add logging configuration for iso8601 module
+ Ensure all compute meters are listed in dropdown
+ Fix bug by escaping strings from Nova before displaying them
(bnc#852175, CVE-2013-6858)

- add/use generic openstack-branding provides

- Update to version 2013.2.1.dev9.g842ba5f:
+ Fix default port of MS SQL in security group template
+ Provide missing hover hints for instance:&lt;type&gt; meters
+ translate text: "subnet"/"subnet details"
+ Change "Tenant" to "Project"
+ Avoid discarding precision of metering data

- Use Django's signed_cookies session backend like upstream and drop the
usage of cache_db
- No need to set SECRET_KEY anymore, upstream learned it too

python-django_openstack_auth was updated to 1.1.3:
- Various i18n fixes
- Revoke tokens when logging out or changing the tenant
- Run tests locally, therefore merge test package back into main
- Properly build HTML documentation and install it
- Add pt_BR locale
- Updated (build) requirements
- Add django_openstack_auth-hacking-requires.patch: hacking dep is nonsense
- include tests runner
- add -test subpackage


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2015-39

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.1 (noarch):

openstack-dashboard-2013.2.5.dev2.g9ee7273-4.1
openstack-dashboard-branding-upstream-2013.2.5.dev2.g9ee7273-4.1
openstack-dashboard-test-2013.2.5.dev2.g9ee7273-4.1
python-django_openstack_auth-1.1.3-4.1
python-horizon-2013.2.5.dev2.g9ee7273-4.1
python-horizon-branding-upstream-2013.2.5.dev2.g9ee7273-4.1


References:

http://support.novell.com/security/cve/CVE-2013-6858.html
http://support.novell.com/security/cve/CVE-2014-0157.html
http://support.novell.com/security/cve/CVE-2014-3473.html
http://support.novell.com/security/cve/CVE-2014-3474.html
http://support.novell.com/security/cve/CVE-2014-3475.html
http://support.novell.com/security/cve/CVE-2014-3594.html
http://support.novell.com/security/cve/CVE-2014-8124.html
https://bugzilla.suse.com/show_bug.cgi?id=852175
https://bugzilla.suse.com/show_bug.cgi?id=869696
https://bugzilla.suse.com/show_bug.cgi?id=871855
https://bugzilla.suse.com/show_bug.cgi?id=885588
https://bugzilla.suse.com/show_bug.cgi?id=891815
https://bugzilla.suse.com/show_bug.cgi?id=908199


< Previous Next >
This Thread
  • No further messages