This update for crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store contains the following fixes:
Security fixes included in this update:
crowbar-openstack:
- CVE-2016-8611: Added rate limiting for the '/images' API POST method
(bsc#1005886).
grafana:
- CVE-2021-27358: Fixed a denial of service via remote API call
(bsc#1183803)
kibana:
- CVE-2017-11499: Fixed a vulnerability in nodejs, related to the
HashTable implementation, which could cause a denial of service
(bsc#1044849)
- CVE-2017-11481: Fixed a cross site scripting vulnerability via via URL
fields (bsc#1044849)
python-Django:
- CVE-2021-3281: Fixed a directory traversal via archive.extract()
(bsc#1181379)
- CVE-2021-28658: Fixed a directory traversal via uploaded files
(bsc#1184148)
- CVE-2021-31542: Fixed a directory traversal via uploaded files with
suitably crafted file names (bsc#1185623)
- CVE-2021-33203:Fixed potential path-traversal via admindocs'
TemplateDetailView (bsc#1186608)
- CVE-2021-33571: Tighten validator checks to not allow leading zeros in
IPv4 addresses, which potentially leads to further attacks (bsc#1186611)
python-py:
- CVE-2020-29651: Fixed a denial of service via regular expressions
(bsc#1179805)
rubygem-activerecord-session_store:
- CVE-2019-25025: Fixed a timing attacks targeting the session id which
could allow an attack to hijack sessions (bsc#1183174)
Non-security fixes included in this update:
Changes in crowbar-openstack:
- Update to version 4.0+git.1616146720.44daffca0:
- monasca: restart Kibana on update (bsc#1044849)
Changes in grafana_Update:
- Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358)
- Prevent unauthenticated remote attackers from causing a DoS through the
snapshots API.
Changes in kibana_Update:
-
Ensure /etc/sysconfig/kibana is present
-
Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14,
ESA-2017-16)
- [4.6] ignore forked code for babel transpile build...