Security update for openstack-dashboard SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:2064-1 Final 1 1 2015-11-20T13:11:32Z current 2015-11-20T13:11:32Z 2015-11-20T13:11:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openstack-dashboard This update provides fixes and enhancements for openstack-dashboard, crowbar-barclamp-nova_dashboard and python-django_openstack_auth. openstack-dashboard: - Reset flavors for other than 'Boot from Image' source type. (bsc#945515) - Add deactivated status for glance image. - Fix TemplateSyntaxError at hypervisors view. - Fix addition of plugin panel to panel group. - Remove admin role name 'admin' hardcode. (bsc#935442) - Escape the description param from heat template. (bsc#933722, CVE-2015-3219) - Enhance policy rules to workflow actions and identity project. - Sanitation of metadata passed from Django to avoid persistent XSS. (bsc#931437, CVE-2015-3988) - Fix Terminate Instance on network topology page. - Show ports from shared nets in floating IP assoc. - Fix incorrect ca arguments for calling ceilometer client. - Fix dynamic select layout when help block is displayed. - Pass correct project ID to get tenant_usages. (bsc#928891) crowbar-barclamp-nova_dashboard: - Allow switching on multidomain support. (bsc#945052) - Fix quoting of supported_provider_types. (bsc#936368) - Enable the POLICY_FILES setting configuration. - Fix attribute being fetched from wrong node. (bsc#936059) python-django_openstack_auth: - Remove admin role name 'admin' hardcode in User.is_superuser(). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleclo50sp3-openstack-crowbar-dashboard-201510-12220 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20152064-1/ Link for SUSE-SU-2015:2064-1 https://lists.suse.com/pipermail/sle-security-updates/2015-November/001689.html E-Mail link for SUSE-SU-2015:2064-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/928891 SUSE Bug 928891 https://bugzilla.suse.com/931437 SUSE Bug 931437 https://bugzilla.suse.com/933607 SUSE Bug 933607 https://bugzilla.suse.com/933722 SUSE Bug 933722 https://bugzilla.suse.com/935442 SUSE Bug 935442 https://bugzilla.suse.com/936059 SUSE Bug 936059 https://bugzilla.suse.com/936368 SUSE Bug 936368 https://bugzilla.suse.com/945052 SUSE Bug 945052 https://bugzilla.suse.com/945515 SUSE Bug 945515 https://www.suse.com/security/cve/CVE-2015-3219/ SUSE CVE CVE-2015-3219 page https://www.suse.com/security/cve/CVE-2015-3988/ SUSE CVE CVE-2015-3988 page SUSE OpenStack Cloud 5 crowbar-barclamp-nova_dashboard-1.9+git.1443622531.b2b2939-9.3 openstack-dashboard-2014.2.4~a0~dev12-13.2 python-django_openstack_auth-1.1.7-11.3 python-horizon-2014.2.4~a0~dev12-13.2 crowbar-barclamp-nova_dashboard-1.9+git.1443622531.b2b2939-9.3 as a component of SUSE OpenStack Cloud 5 openstack-dashboard-2014.2.4~a0~dev12-13.2 as a component of SUSE OpenStack Cloud 5 python-django_openstack_auth-1.1.7-11.3 as a component of SUSE OpenStack Cloud 5 python-horizon-2014.2.4~a0~dev12-13.2 as a component of SUSE OpenStack Cloud 5 Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class. CVE-2015-3219 SUSE OpenStack Cloud 5:crowbar-barclamp-nova_dashboard-1.9+git.1443622531.b2b2939-9.3 SUSE OpenStack Cloud 5:openstack-dashboard-2014.2.4~a0~dev12-13.2 SUSE OpenStack Cloud 5:python-django_openstack_auth-1.1.7-11.3 SUSE OpenStack Cloud 5:python-horizon-2014.2.4~a0~dev12-13.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20152064-1/ https://www.suse.com/security/cve/CVE-2015-3219.html CVE-2015-3219 https://bugzilla.suse.com/933722 SUSE Bug 933722 Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate. CVE-2015-3988 SUSE OpenStack Cloud 5:crowbar-barclamp-nova_dashboard-1.9+git.1443622531.b2b2939-9.3 SUSE OpenStack Cloud 5:openstack-dashboard-2014.2.4~a0~dev12-13.2 SUSE OpenStack Cloud 5:python-django_openstack_auth-1.1.7-11.3 SUSE OpenStack Cloud 5:python-horizon-2014.2.4~a0~dev12-13.2 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20152064-1/ https://www.suse.com/security/cve/CVE-2015-3988.html CVE-2015-3988 https://bugzilla.suse.com/931437 SUSE Bug 931437