Title of the patch: Security update for ardana-cassandra, ardana-mq, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-openstack, grafana, influxdb, openstack-cinder, openstack-heat, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-ironic-python-agent, openstack-manila, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vpnaas, openstack-nova, python-Jinja2, python-pysaml2, python-pytest, python-urllib3, release-notes-suse-openstack-cloud, spark

---

Description of the patch: This update for ardana-cassandra, ardana-mq, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-openstack, grafana, influxdb, openstack-cinder, openstack-heat, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-ironic-python-agent, openstack-manila, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vpnaas, openstack-nova, python-Jinja2, python-pysaml2, python-pytest, python-urllib3, release-notes-suse-openstack-cloud, spark fixes the following issues: Security changes included on this update: grafana: - CVE-2020-24303: Fixed an XXS with series overides. (bsc#1178243) influxdb: - CVE-2019-20933: Fixed an authentication bypass. (bsc#1178988) python-Jinja2: - CVE-2019-10906,CVE-2019-8341,CVE-2016-10745: 'SandboxedEnvironment' securely handles 'str.format_map' in order to prevent code execution through untrusted format strings. (bsc#1132323, bsc#1125815, bsc#1132174) python-pysaml2: - CVE-2020-5390: Fixed an issue where there was no check that the signature in a SAML document is enveloped. (bsc#1160851) python-urllib3: - CVE-2020-26137: Fixed a CRLF injection via HTTP request method. (bsc#1177120) Non-security changes included in this update: Changes in ardana-cassandra: - Update to version 9.0+git.1600802664.7e480a2: * Remove freezer related backup/restore code (SOC-7751) Changes in ardana-mq: - Update to version 9.0+git.1605174486.a78ddce: * Re-enable mirroring of fanout and reply queues (bsc#1177611) Changes in ardana-osconfig: - Update to version 9.0+git.1601621747.a87e5a0: * HOS8 check needs to be a shell rather than command (SOC-11184) Changes in ardana-tempest: - Update to version 9.0+git.1603378983.fc0bca9: * Enable VPNaaS testing (SOC-8764) - Update to version 9.0+git.1599855218.875b2f3: * unblacklist some revert tests (SOC-9178) Changes in crowbar-core: - Update to version 6.0+git.1606314264.bf9ada813: * ntp: Do not use rate-limiting (bsc#1179161) - Update to version 6.0+git.1600414599.150832ca2: * Ignore CVE-2020-15169 (SOC-11391) Changes in crowbar-openstack: - Update to version 6.0+git.1604573541.bb18c172d: * rabbitmq: Fix crm running check (SOC-11240) - Update to version 6.0+git.1604491402.b4dbba849: * Remove aspiers from CODEOWNERS * Remove cmurphy from CODEOWNERS Changes in grafana: - Fix bsc#1178243 CVE-2020-24303 by adding 25401-Fix-XSS-vulnerability-with-series-overrides.patch Changes in influxdb: - Add CVE-2019-20933.patch (bsc#1178988, CVE-2019-20933) to fix authentication bypass - Declare license files correctly Changes in openstack-cinder: - Update to version cinder-13.0.10.dev20: * PowerMax Driver - Legacy volumes fail to live migrate - Update to version cinder-13.0.10.dev19: * RBD: Cleanup temporary file during exception - Update to version cinder-13.0.10.dev17: * Remove experimental job legacy-tempest-dsvm-zeromq-multibackend Changes in openstack-cinder: - Update to version cinder-13.0.10.dev20: * PowerMax Driver - Legacy volumes fail to live migrate - Update to version cinder-13.0.10.dev19: * RBD: Cleanup temporary file during exception - Update to version cinder-13.0.10.dev17: * Remove experimental job legacy-tempest-dsvm-zeromq-multibackend Changes in openstack-heat: - Update to version openstack-heat-11.0.4.dev4: * Check external resources after creation - Update to version openstack-heat-11.0.4.dev2: * Don't store signal\_url for ec2 signaling of deployments * Allow scale-down of ASG as part of update 11.0.3 Changes in openstack-heat: - Update to version openstack-heat-11.0.4.dev4: * Check external resources after creation - Update to version openstack-heat-11.0.4.dev2: * Don't store signal\_url for ec2 signaling of deployments * Allow scale-down of ASG as part of update 11.0.3 Changes in openstack-heat-gbp: - Update to version group-based-policy-automation-12.0.1.dev2: * Add support for victoria - Update to version group-based-policy-automation-12.0.1.dev1: * Add network\_id field for L2 Policy Heat Extensions 12.0.0 * Add support for ussuri * Fix master/train gate * Add support for train 10.0.0 * Upgrade for stable/stein branch 9.0.0 * Updated with 'stable/rocky' branch * Replace openstack.org URLs with 'git+https://' * OpenDev Migration Patch Changes in openstack-heat-templates: - Update to version 0.0.0+git.1605509190.64f020b: * Fix software config on rdo * optimize size and time using --no-cache-dir * add template for servers using Octavia - Update to version 0.0.0+git.1604032742.c5733ee: * Move heat-templates-check job to zuul v3 Changes in openstack-horizon-plugin-gbp-ui: - Update to version group-based-policy-ui-12.0.1.dev3: * Remove mox3 from requirements - Update to version group-based-policy-ui-12.0.1.dev2: * Fix python namespacing * Add stable victoria 12.0.0 * Add support for ussuri * Fix master/train gate * Add support for train 10.0.0 * Upgrade for stable/stein branch 9.0.0 * Upgrading for stable/rocky branch * Added Python3 support * OpenDev Migration Patch Changes in openstack-ironic-python-agent: - Update to version ironic-python-agent-3.3.4.dev6: * Fix: make Intel CNA hardware manager none generic Changes in openstack-manila: - Update to version manila-7.4.2.dev57: * fix reno file location and indention - Update to version manila-7.4.2.dev56: * [Glusterfs] Fix delete share, Couldn't find the 'gluster\_used\_vols' - Update to version manila-7.4.2.dev55: * [Glusterfs] Fix delete share, mount point not disconnected Changes in openstack-manila: - Update to version manila-7.4.2.dev57: * fix reno file location and indention - Update to version manila-7.4.2.dev56: * [Glusterfs] Fix delete share, Couldn't find the 'gluster\_used\_vols' - Update to version manila-7.4.2.dev55: * [Glusterfs] Fix delete share, mount point not disconnected Changes in openstack-neutron: - Update to version neutron-13.0.8.dev135: * Rehome api tests for propagate\_uplink\_status - Update to version neutron-13.0.8.dev134: * Revert '[Security] fix allowed-address-pair 0.0.0.0/0 issue' - Update to version neutron-13.0.8.dev132: * Drop invalid rootwrap filters * ovs firewall: fix mac learning on the ingress rule table when ovs offload enabled * Add update\_id for ResourceUpdate - Update to version neutron-13.0.8.dev126: * 'ping'/'ping6' command support in rootwrap filters - Update to version neutron-13.0.8.dev124: * Import 'oslo\_config.cfg' before 'eventlet' * [OvS] Handle re\_added multi ports - Update to version neutron-13.0.8.dev120: * Local mac direct flow for non-openflow firewall * Replace ctype.CDLL by ctypes.PyDLL in linux.ip\_lib - Update to version neutron-13.0.8.dev116: * Support gateway which is not in subnet CIDR in ha\_router * Ensure fip ip rules deleted when fip removed - Update to version neutron-13.0.8.dev112: * windows: fix terminating processes * [stable/rocky] Drop rally job * Don't raise FileNotFoundError during disabling keepalived * Load the glibc library only once for Pyroute2 - Update to version neutron-13.0.8.dev106: * Do not fail deleting namespace if it does not exist - Update to version neutron-13.0.8.dev104: * Avoid raising NetworkInterfaceNotFound exception in DHCP agent logs - Update to version neutron-13.0.8.dev103: * Use dict .get() to avoid a KeyError in the segment plugin - Update to version neutron-13.0.8.dev101: * Pass context in l3 flavor notifications * Handle properly existing LLA address during l3 agent restart - Update to version neutron-13.0.8.dev97: * Add 'keepalived\_use\_no\_track' config option Changes in openstack-neutron: - Update to version neutron-13.0.8.dev135: * Rehome api tests for propagate\_uplink\_status - Update to version neutron-13.0.8.dev134: * Revert '[Security] fix allowed-address-pair 0.0.0.0/0 issue' - Update to version neutron-13.0.8.dev132: * Drop invalid rootwrap filters * ovs firewall: fix mac learning on the ingress rule table when ovs offload enabled * Add update\_id for ResourceUpdate - Update to version neutron-13.0.8.dev126: * 'ping'/'ping6' command support in rootwrap filters - Update to version neutron-13.0.8.dev124: * Import 'oslo\_config.cfg' before 'eventlet' * [OvS] Handle re\_added multi ports - Update to version neutron-13.0.8.dev120: * Local mac direct flow for non-openflow firewall * Replace ctype.CDLL by ctypes.PyDLL in linux.ip\_lib - Update to version neutron-13.0.8.dev116: * Support gateway which is not in subnet CIDR in ha\_router * Ensure fip ip rules deleted when fip removed - Update to version neutron-13.0.8.dev112: * windows: fix terminating processes * [stable/rocky] Drop rally job * Don't raise FileNotFoundError during disabling keepalived * Load the glibc library only once for Pyroute2 - Update to version neutron-13.0.8.dev106: * Do not fail deleting namespace if it does not exist - Update to version neutron-13.0.8.dev104: * Avoid raising NetworkInterfaceNotFound exception in DHCP agent logs - Update to version neutron-13.0.8.dev103: * Use dict .get() to avoid a KeyError in the segment plugin - Update to version neutron-13.0.8.dev101: * Pass context in l3 flavor notifications * Handle properly existing LLA address during l3 agent restart - Update to version neutron-13.0.8.dev97: * Add 'keepalived\_use\_no\_track' config option Changes in openstack-neutron-gbp: - Update to version group-based-policy-12.0.1.dev5: * Fix ICMP type and ICMP code fields for named and numbered ICMP Protocol 2014.2.0rc1 - Update to version group-based-policy-12.0.1.dev4: * Fix erroneous comma (,) in the LOG.exception call 2014.2rc1 - Update to version group-based-policy-12.0.1.dev3: * Fix top of tree in gate * Endpoint level qos changes 12.0.0 * Add support for ussuri * Update subnets for SVI port corresponding to bound port * Fix the intermittent QOS UT failure * Fixed the QOS UT failure * Use train branch instead of stein * Add support for train * Prepare for removal of CommonDbMixin * Make AIM dsvm job voting * Add support for upstream Stein release * Fix python2/3 compatibility * Fix DNS Domain Name in endpoint file * When a subnet added to a bound SVI port, ensure it is added to SVI port * Add support for qos * Fix DNS issue in endpoint file * [AIM] Add pre-existing BD to network extension * Remove get\_current\_session * Remove get\_current\_session method * [AIM] Add EPG contract masters to network extension * Revert 'Remove get\_current\_session method' * Remove get\_current\_session method * Support Dual Stack on SVI nets along with BGP 9.0.0 * Add support for upstream Rocky release * Cleanup Queens (part 2) * Fix missing DB migration * Make aim functional gate job voting * Added Python3 support * [AIM] Sanitize the AIM tenant description field * Fix field sizes for VM names * Bind baremetal VNIC trunk ports * Fix missing trunk\_details for a trunk without subports * [AIM] Insert remote\_group\_id to SG rules properly * Revert '[AIM] Convert remote\_ips for SG rules properly' * Cleanup Queens * [AIM] Convert remote\_ips for SG rules properly * Clean up baremetal port handling * [AIM] Clean up the mock and stop the looping thread in the UT env * Don't stop this looping thread when an exception is thrown * [AIM] Fix router\_id allocation for SVI * Support non SVI static VLAN type segments with OpFlex agent * Baremetal VNIC Trunk support * [AIM] Don't queue notifications (4 of 4) * [AIM] Don't queue registry callbacks (3 of 4) * [AIM] Enable Neutron transaction guards (2 of 4) * Don't call GBP or Neutron APIs from GBP PD precommit methods * [AIM] Retry L3 Plugin Operations * [AIM] Fix most common random UT failures * [AIM] Fixed external subnet ANY\_CIDRs for l3out EPGs for SVI * Revert 'Nested domain parameters support for openShift networks' * Fix for unbinding baremetal VNIC ports * Nested domain parameters support for openShift networks * Fix tox coverage job * Add suport for baremetal vnic\_type 2014.2.rc1 Changes in openstack-neutron-vpnaas: - Remove remove-tempest-entry-point.patch thus enabling the tempest_vpnaas plugin for tempest testing. (SCRD-8681) - Package the neutron-vpnaas/tests/ directory contents in a new RPM RPM package, python-neutron-vpnaas-tempest-plugin, that depend on python-neutron-vpnaas, which provides the main neutron-vpnaas code base. Additionally this new package can now safely depend on the python-neutron-tempest-plugin package, providing the required neutron_tempest_plugin module, without causing tempest packages to be installed when python-neutron-vpnaas installed. (SOC-8764) NOTE: This implicitly enables the neutron_tempest_plugin. - Corrected LBaaS references to VPNaaS. Changes in openstack-nova: - Update to version nova-18.3.1.dev77: * Follow up for cherry-pick check for merge patch - Update to version nova-18.3.1.dev76: * post live migration: don't call Neutron needlessly - Update to version nova-18.3.1.dev74: * libvirt: Do not reference VIR\_ERR\_DEVICE\_MISSING when libvirt is smaller than v4.1.0 - Update to version nova-18.3.1.dev72: * libvirt: Handle VIR\_ERR\_DEVICE\_MISSING when detaching devices - Update to version nova-18.3.1.dev70: * compute: Don't delete the original attachment during pre LM rollback * Add regression tests for bug #1889108 * compute: refactor volume bdm rollback error handling - Update to version nova-18.3.1.dev64: * compute: Use source\_bdms to reset attachment\_ids during LM rollback * Robustify attachment tracking in CinderFixtureNewAttachFlow - Update to version nova-18.3.1.dev60: * Improve CinderFixtureNewAttachFlow - Update to version nova-18.3.1.dev58: * Removed the host FQDN from the exception message - Update to version nova-18.3.1.dev56: * libvirt: Provide VIR\_MIGRATE\_PARAM\_PERSIST\_XML during live migration Changes in openstack-nova: - Update to version nova-18.3.1.dev77: * Follow up for cherry-pick check for merge patch - Update to version nova-18.3.1.dev76: * post live migration: don't call Neutron needlessly - Update to version nova-18.3.1.dev74: * libvirt: Do not reference VIR\_ERR\_DEVICE\_MISSING when libvirt is smaller than v4.1.0 - Update to version nova-18.3.1.dev72: * libvirt: Handle VIR\_ERR\_DEVICE\_MISSING when detaching devices - Update to version nova-18.3.1.dev70: * compute: Don't delete the original attachment during pre LM rollback * Add regression tests for bug #1889108 * compute: refactor volume bdm rollback error handling - Update to version nova-18.3.1.dev64: * compute: Use source\_bdms to reset attachment\_ids during LM rollback * Robustify attachment tracking in CinderFixtureNewAttachFlow - Update to version nova-18.3.1.dev60: * Improve CinderFixtureNewAttachFlow - Update to version nova-18.3.1.dev58: * Removed the host FQDN from the exception message - Rebased patches: + 0004-Provide-VIR_MIGRATE_PARAM_PERSIST_XML-during-live-migration.patch dropped (merged upstream) - Update to version nova-18.3.1.dev56: * libvirt: Provide VIR\_MIGRATE\_PARAM\_PERSIST\_XML during live migration Changes in python-Jinja2: - Trim bias from descriptions. Make sure % is escaped. - update to version 2.10.1 (bsc#1132323, CVE-2019-10906, bsc#1125815, CVE-2019-8341): * 'SandboxedEnvironment' securely handles 'str.format_map' in order to prevent code execution through untrusted format strings. The sandbox already handled 'str.format'. - Activate test suite - Add minimum build dependency to match runtime dependency - Fix fdupes call - Remove superfluous devel dependency for noarch package - Update to 2.9.5 (bsc#1132174, CVE-2016-10745) Changes in python-pysaml2: - Add 0001-Fix-XML-Signature-Wrapping-XSW-vulnerabilities.patch (CVE-2020-5390, bsc#1160851) Changes in python-pytest: - update to 3.7.4 - drop 0001-Use-unittest.mock-if-is-only-aviable.patch * Fix possible infinite recursion when writing .pyc files * Cache plugin now obeys the -q flag when --last-failed and --failed-first flags are used. * Fix bad console output when using console_output_style=classic * Fixtures during teardown can again use capsys and capfd to inspect output captured during tests. * Fix bugs where unicode arguments could not be passed to testdir.runpytest on Python 2. * Fix double collection of tests within packages when the filename starts with a capital letter * Fix collection error when specifying test functions directly in the command line using test.py::test syntax together with --doctest-modules * Fix stdout/stderr not getting captured when real-time cli logging is active. * Fix bug where --show-capture=no option would still show logs printed during fixture teardown. * Fix issue where teardown of fixtures of consecutive sub-packages were executed once, at the end of the outer package. - update to 3.7.2 - add 0001-Use-unittest.mock-if-is-only-aviable.patch * Fix filterwarnings not being registered as a builtin mark. * Fix test collection from packages mixed with normal directories. * Fix infinite recursion during collection if a pytest_ignore_collect hook returns False instead of None. * Fix bug where decorated fixtures would lose functionality * Fix bug where importing modules or other objects with prefix pytest_ prefix would raise a PluginValidationError. * Fix AttributeError during teardown of TestCase subclasses which raise an exception during __init__. * Fix traceback reporting for exceptions with __cause__ cycles. Changes in python-pytest: - update to 3.7.4 - drop 0001-Use-unittest.mock-if-is-only-aviable.patch * Fix possible infinite recursion when writing .pyc files * Cache plugin now obeys the -q flag when --last-failed and --failed-first flags are used. * Fix bad console output when using console_output_style=classic * Fixtures during teardown can again use capsys and capfd to inspect output captured during tests. * Fix bugs where unicode arguments could not be passed to testdir.runpytest on Python 2. * Fix double collection of tests within packages when the filename starts with a capital letter * Fix collection error when specifying test functions directly in the command line using test.py::test syntax together with --doctest-modules * Fix stdout/stderr not getting captured when real-time cli logging is active. * Fix bug where --show-capture=no option would still show logs printed during fixture teardown. * Fix issue where teardown of fixtures of consecutive sub-packages were executed once, at the end of the outer package. - update to 3.7.2 - add 0001-Use-unittest.mock-if-is-only-aviable.patch * Fix filterwarnings not being registered as a builtin mark. * Fix test collection from packages mixed with normal directories. * Fix infinite recursion during collection if a pytest_ignore_collect hook returns False instead of None. * Fix bug where decorated fixtures would lose functionality * Fix bug where importing modules or other objects with prefix pytest_ prefix would raise a PluginValidationError. * Fix AttributeError during teardown of TestCase subclasses which raise an exception during __init__. * Fix traceback reporting for exceptions with __cause__ cycles. Changes in python-urllib3: - Update urllib3-fix-test-urls.patch. Adjust to match upstream solution. - Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for CVE-2019-9740. - Add urllib3-cve-2020-26137.patch. Don't allow control chars in request method. (bsc#1177120, CVE-2020-26137) Changes in release-notes-suse-openstack-cloud: - Update to version 9.20200917: * Change wording to correctly refer to future SES versions * Update adoc/limitations.adoc * Add SES version limitation, remove deprecated note about Octavia for Crowbar - Update to version 9.20200917: * Announce Upgrade is now available (SOC-9781) Changes in spark: - Add _constraints to prevent build from running out of disk space

---

Patchnames: SUSE-2020-3897,SUSE-OpenStack-Cloud-9-2020-3897,SUSE-OpenStack-Cloud-Crowbar-9-2020-3897

---

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).