Security update for openstack-keystone, openstack-nova, and openstack-swift SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:2325-1 Final 1 1 2016-09-16T12:10:42Z current 2016-09-16T12:10:42Z 2016-09-16T12:10:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openstack-keystone, openstack-nova, and openstack-swift This update for openstack-keystone, openstack-nova, and openstack-swift fixes the following issues: - Fix hybrid backend from keystone v3 (bsc#967356) - Fix cleanup when block migration fails (bsc#960015) - Avoid host data leak (bsc#960601, CVE-2015-7548) - Fix init script for openstack-swift-object-expirer - Mark backend_argument as secret (bsc#929628, CVE-2015-3646) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleclo50sp3-openstack-keystone-12748 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20162325-1/ Link for SUSE-SU-2016:2325-1 https://lists.suse.com/pipermail/sle-security-updates/2016-September/002275.html E-Mail link for SUSE-SU-2016:2325-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/929628 SUSE Bug 929628 https://bugzilla.suse.com/960015 SUSE Bug 960015 https://bugzilla.suse.com/960601 SUSE Bug 960601 https://bugzilla.suse.com/967356 SUSE Bug 967356 https://www.suse.com/security/cve/CVE-2015-3646/ SUSE CVE CVE-2015-3646 page https://www.suse.com/security/cve/CVE-2015-7548/ SUSE CVE CVE-2015-7548 page SUSE OpenStack Cloud 5 openstack-keystone-2014.2.4.juno-17.1 openstack-keystone-doc-2014.2.4.juno-17.2 openstack-nova-2014.2.4.juno-29.1 openstack-nova-api-2014.2.4.juno-29.1 openstack-nova-cells-2014.2.4.juno-29.1 openstack-nova-cert-2014.2.4.juno-29.1 openstack-nova-compute-2014.2.4.juno-29.1 openstack-nova-conductor-2014.2.4.juno-29.1 openstack-nova-console-2014.2.4.juno-29.1 openstack-nova-consoleauth-2014.2.4.juno-29.1 openstack-nova-doc-2014.2.4.juno-29.1 openstack-nova-novncproxy-2014.2.4.juno-29.1 openstack-nova-objectstore-2014.2.4.juno-29.1 openstack-nova-scheduler-2014.2.4.juno-29.1 openstack-nova-serialproxy-2014.2.4.juno-29.1 openstack-nova-vncproxy-2014.2.4.juno-29.1 openstack-swift-2.1.0-14.1 openstack-swift-account-2.1.0-14.1 openstack-swift-container-2.1.0-14.1 openstack-swift-doc-2.1.0-14.1 openstack-swift-object-2.1.0-14.1 openstack-swift-proxy-2.1.0-14.1 python-keystone-2014.2.4.juno-17.1 python-nova-2014.2.4.juno-29.1 python-swift-2.1.0-14.1 openstack-keystone-2014.2.4.juno-17.1 as a component of SUSE OpenStack Cloud 5 openstack-keystone-doc-2014.2.4.juno-17.2 as a component of SUSE OpenStack Cloud 5 openstack-nova-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-api-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-cells-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-cert-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-compute-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-conductor-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-console-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-consoleauth-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-doc-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-novncproxy-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-objectstore-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-scheduler-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-serialproxy-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-nova-vncproxy-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 openstack-swift-2.1.0-14.1 as a component of SUSE OpenStack Cloud 5 openstack-swift-account-2.1.0-14.1 as a component of SUSE OpenStack Cloud 5 openstack-swift-container-2.1.0-14.1 as a component of SUSE OpenStack Cloud 5 openstack-swift-doc-2.1.0-14.1 as a component of SUSE OpenStack Cloud 5 openstack-swift-object-2.1.0-14.1 as a component of SUSE OpenStack Cloud 5 openstack-swift-proxy-2.1.0-14.1 as a component of SUSE OpenStack Cloud 5 python-keystone-2014.2.4.juno-17.1 as a component of SUSE OpenStack Cloud 5 python-nova-2014.2.4.juno-29.1 as a component of SUSE OpenStack Cloud 5 python-swift-2.1.0-14.1 as a component of SUSE OpenStack Cloud 5 OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs. CVE-2015-3646 SUSE OpenStack Cloud 5:openstack-keystone-2014.2.4.juno-17.1 SUSE OpenStack Cloud 5:openstack-keystone-doc-2014.2.4.juno-17.2 SUSE OpenStack Cloud 5:openstack-nova-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-api-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-cells-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-cert-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-compute-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-conductor-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-console-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-consoleauth-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-doc-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-novncproxy-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-objectstore-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-scheduler-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-serialproxy-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-vncproxy-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-swift-2.1.0-14.1 SUSE OpenStack Cloud 5:openstack-swift-account-2.1.0-14.1 SUSE OpenStack Cloud 5:openstack-swift-container-2.1.0-14.1 SUSE OpenStack Cloud 5:openstack-swift-doc-2.1.0-14.1 SUSE OpenStack Cloud 5:openstack-swift-object-2.1.0-14.1 SUSE OpenStack Cloud 5:openstack-swift-proxy-2.1.0-14.1 SUSE OpenStack Cloud 5:python-keystone-2014.2.4.juno-17.1 SUSE OpenStack Cloud 5:python-nova-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:python-swift-2.1.0-14.1 moderate 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162325-1/ https://www.suse.com/security/cve/CVE-2015-3646.html CVE-2015-3646 https://bugzilla.suse.com/929628 SUSE Bug 929628 OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot. CVE-2015-7548 SUSE OpenStack Cloud 5:openstack-keystone-2014.2.4.juno-17.1 SUSE OpenStack Cloud 5:openstack-keystone-doc-2014.2.4.juno-17.2 SUSE OpenStack Cloud 5:openstack-nova-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-api-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-cells-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-cert-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-compute-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-conductor-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-console-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-consoleauth-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-doc-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-novncproxy-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-objectstore-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-scheduler-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-serialproxy-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-nova-vncproxy-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:openstack-swift-2.1.0-14.1 SUSE OpenStack Cloud 5:openstack-swift-account-2.1.0-14.1 SUSE OpenStack Cloud 5:openstack-swift-container-2.1.0-14.1 SUSE OpenStack Cloud 5:openstack-swift-doc-2.1.0-14.1 SUSE OpenStack Cloud 5:openstack-swift-object-2.1.0-14.1 SUSE OpenStack Cloud 5:openstack-swift-proxy-2.1.0-14.1 SUSE OpenStack Cloud 5:python-keystone-2014.2.4.juno-17.1 SUSE OpenStack Cloud 5:python-nova-2014.2.4.juno-29.1 SUSE OpenStack Cloud 5:python-swift-2.1.0-14.1 moderate 6.3 AV:N/AC:M/Au:S/C:C/I:N/A:N 2.1 AV:N/AC:H/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162325-1/ https://www.suse.com/security/cve/CVE-2015-7548.html CVE-2015-7548 https://bugzilla.suse.com/960601 SUSE Bug 960601