Detections
Analytics

openSUSE Security Update : openstack-dashboard (openSUSE-SU-2015:0078-1)

medium Nessus Plugin ID 80842

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

OpenStack Dashboard was updated to fix bugs and security issues.

Full changes :

 - Update to version horizon-2013.2.5.dev2.g9ee7273 :

 - fix Horizon login page DOS attack (bnc#908199, CVE-2014-8124)

 - update version to 2013.2.5

 - Updated from global requirements

 - Pin docutils to 0.9.1

 - Set python hash seed to 0 in tox.ini

 - Check host is not none in each availability zone

 - Fix XSS issue with the unordered_list filter (bnc#891815, CVE-2014-3594)

 + 0001-Use-default_project_id-for-v3-users.patch (manually)

 - Replace UserManager with None in tests

 - Update test-requirements to fix sphinx build_doc

 - Fix multiple Cross-Site Scripting (XSS) vulnerabilities (bnc#885588, CVE-2014-3473, CVE-2014-3474, CVE-2014-3475)

 - Fix issues with importing the Login form

 Bug 869696 - Admin password injection on Horizon Dashboard is broken.

 - Update to version horizon-2013.2.4.dev8.g07c097f :

 - Bug fix on neutron's API to return the correct target ID

 - Fix display of images in Rebuild Instance

 - Get instance networking information from Neutron

 - Bump stable/havana next version to 2013.2.4

 - Do not release FIP on disassociate action

 - Introduces escaping in Horizon/Orchestration 2013.2.3 (bnc#871855, CVE-2014-0157)

 - Update to version horizon-2013.2.3.dev8.g3d04c3c :

 - Reduce number of novaclient calls

 - Don't copy the flavorid when updating flavors

 - Allow snapshots of paused and suspended instances

 - Fixing tests to work with keystoneclient 0.6.0

 - Bump stable/havana next version to 2013.2.3

 + Use upstream URL as source (enables verification)

 + Import translations for Havana 2013.2.2 udpate

 - Update to version 2013.2.2.dev29.g96bd650 :

 + Update Transifex resource name for havana

 + Fix inappropriate logouts on load-balanced Horizon

 - Update to version 2013.2.2.dev25.g6508afd :

 + disable volume creation, when cinder is disabled

 + Bad workflow-steps check: has_required_fields

 + Specify tenant_id when retrieving LBaaS/VPNaaS resource

 - Update to version 2013.2.2.dev19.g7a8eadc :

 + Give HealthMonitor a proper display name

 - Update to version 2013.2.2.dev17.gaa55b24 :

 + Common keystone version fallback

 - Move settings.py (default settings) to branding-upstream subpackage: a branding package might want to change some default settings.

 - add 0001-Common-keystone-version-fallback.patch, 0001-Use-default_project_id-for-v3-users.patch

 - Update to version 2013.2.2.dev15.g2b6dfa7 :

 + fix help text in 'Create An image' window

 + Change how scrollShift is calculated

 + unify keypair name handling

 - Add 0001-Give-no-background-color-to-the-pie-charts.patch:
 do not give a background color to pie charts.

 - Update to version 2013.2.2.dev9.gc6d38a1 :

 + Wrong marker sent to keystone

 - Update to version 2013.2.2.dev7.g2e11482 :

 + Adding management_url to test mock client

 - add 0001-Bad-workflow-steps-check-has_required_fields.patch

- Make python-horizon require the 2013.2 version of python-horizon-branding (and not the 2013.2.xyz version). This makes it easier to create non-upstream branding; we already do this for the other branding subpackage.

 - Update to version 2013.2.2.dev6.g2c1f1f3 :

 + Add check for BlockDeviceMappingV2 nova extension

 + Gracefully handle Users with no email attribute

 + Import install_venv from oslo

 + Bump stable/havana next version to 2013.2.2

 - Update to version 2013.2.1.dev41.g9668e80 :

 + Updated from global requirements

 - put everything under /srv/www/openstack-dashboard

- Update to version 2013.2.1.dev40.g852e5c8 :

 + Import translations for Havana 2013.2.1 udpate

 + Deleting statistics tables from resource usage page

 + Allow 'Working' in spinner to be translatable

 + lbaas/horizon - adds tcp protocol choice when create lb

 + Fix a bug some optional field in LBaaS are mandatory

 + Fix bug so that escaped html is not shown in volume detach dialog

 + Role name should not be translated in Domain Groups dialog

 + Fix incomplete translation of 'Update members' widget

 + Fix translatable string for 'Injected File Path Bytes'

 + Add extra extension file to makemessage command line

 + Add contextual markers to BatchAction messages

 + Logging user out after self password change

 + Add logging configuration for iso8601 module

 + Ensure all compute meters are listed in dropdown

 + Fix bug by escaping strings from Nova before displaying them (bnc#852175, CVE-2013-6858)

 - add/use generic openstack-branding provides

- Update to version 2013.2.1.dev9.g842ba5f :

 + Fix default port of MS SQL in security group template

 + Provide missing hover hints for instance:<type> meters

 + translate text: 'subnet'/'subnet details'

 + Change 'Tenant' to 'Project'

 + Avoid discarding precision of metering data

 - Use Django's signed_cookies session backend like upstream and drop the usage of cache_db

 - No need to set SECRET_KEY anymore, upstream learned it too

python-django_openstack_auth was updated to 1.1.3 :

 - Various i18n fixes

 - Revoke tokens when logging out or changing the tenant

 - Run tests locally, therefore merge test package back into main

 - Properly build HTML documentation and install it

 - Add pt_BR locale

 - Updated (build) requirements

 - Add django_openstack_auth-hacking-requires.patch:
 hacking dep is nonsense

 - include tests runner

- add -test subpackage

Solution

Update the affected openstack-dashboard packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=852175

https://bugzilla.opensuse.org/show_bug.cgi?id=869696

https://bugzilla.opensuse.org/show_bug.cgi?id=871855

https://bugzilla.opensuse.org/show_bug.cgi?id=885588

https://bugzilla.opensuse.org/show_bug.cgi?id=891815

https://bugzilla.opensuse.org/show_bug.cgi?id=908199

https://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html

Plugin Details

Severity: Medium

ID: 80842

File Name: openSUSE-2015-39.nasl

Version: 1.4

Type: local

Agent: unix

Published: 1/20/2015

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:openstack-dashboard-test, p-cpe:/a:novell:opensuse:openstack-dashboard, p-cpe:/a:novell:opensuse:python-horizon, p-cpe:/a:novell:opensuse:python-horizon-branding-upstream, p-cpe:/a:novell:opensuse:openstack-dashboard-branding-upstream, cpe:/o:novell:opensuse:13.1, p-cpe:/a:novell:opensuse:python-django_openstack_auth

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 1/10/2015

Reference Information

CVE: CVE-2013-6858, CVE-2014-0157, CVE-2014-3473, CVE-2014-3474, CVE-2014-3475, CVE-2014-3594, CVE-2014-8124