Vulnerability from csaf_suse
Published
2020-12-04 11:50
Modified
2020-12-04 11:50
Summary
Security update for crowbar-openstack, grafana, influxdb, python-urllib3
Notes
Title of the patch
Security update for crowbar-openstack, grafana, influxdb, python-urllib3
Description of the patch
This update for crowbar-openstack, grafana, influxdb, python-urllib3 contains the following fixes:
Security fixes included in this update:
openstack-glance
- CVE-2016-8611: Added rate limiting for glance api (bnc#1005886)
grafana
- CVE-2020-24303: Fixed an XSS via a query alias for the ElasticSearch datasource (#bnc#1178243)
influxdb
- CVE-2019-20933: Fixed an authentication bypass (bnc#1178988)
python-urlib3
- CVE-2019-9740: Fixed a CRLF injection in urllib3 (bnc#1129071).
- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bnc#1177120)
memcached
- CVE-2018-1000115: Fixed a issue where a UDP server allowed spoofed traffic amplification DoS (bnc#1083903).
Non-security fixes included in this update:
Changes in crowbar-openstack:
- Update to version 4.0+git.1604938545.30c10db18:
* rabbitmq: Fix crm running check (SOC-11240)
Changes in grafana:
- Fix bnc#1178243 CVE-2020-24303 by adding
25401-Fix-XSS-vulnerability-with-series-overrides.patch
Changes in influxdb:
- Add CVE-2019-20933.patch (bnc#1178988, CVE-2019-20933) to
fix authentication bypass_
- Declare license files correctly
- Version 1.2.4:
* The stress tool influx_stress will be removed in a subsequent
release.
* Remove the override of GOMAXPROCS.
* Uncomment section headers from the default configuration file.
* Improve write performance significantly.
* Prune data in meta store for deleted shards.
* Update latest dependencies with Godeps.
* Introduce syntax for marking a partial response with chunking.
* Use X-Forwarded-For IP address in HTTP logger if present.
* Add support for secure transmission via collectd.
* Switch logging to use structured logging everywhere.
* [CLI feature request] USE retention policy for queries.
* Add clear command to cli.
* Adding ability to use parameters in queries in the v2 client
using the Parameters map in the Query struct.
* Allow add items to array config via ENV
* Support subquery execution in the query language.
* Verbose output for SSL connection errors.
* Cache snapshotting performance improvements
- Partially revert previous change to fix build for Leap
Changes in python-urllib3:
- Update urllib3-fix-test-urls.patch. Adjust to match upstream solution.
- Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for
CVE-2019-9740.
- Add urllib3-cve-2020-26137.patch. Don't allow control chars in request
method. (bnc#1177120, CVE-2020-26137)
Patchnames
SUSE-2020-3624,SUSE-OpenStack-Cloud-7-2020-3624
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for crowbar-openstack, grafana, influxdb, python-urllib3", title: "Title of the patch", }, { category: "description", text: "This update for crowbar-openstack, grafana, influxdb, python-urllib3 contains the following fixes:\n\nSecurity fixes included in this update:\n\nopenstack-glance\n- CVE-2016-8611: Added rate limiting for glance api (bnc#1005886)\n\ngrafana\n- CVE-2020-24303: Fixed an XSS via a query alias for the ElasticSearch datasource (#bnc#1178243)\n\ninfluxdb\n- CVE-2019-20933: Fixed an authentication bypass (bnc#1178988)\n\npython-urlib3\n- CVE-2019-9740: Fixed a CRLF injection in urllib3 (bnc#1129071).\n- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bnc#1177120)\n\nmemcached\n- CVE-2018-1000115: Fixed a issue where a UDP server allowed spoofed traffic amplification DoS (bnc#1083903).\n\nNon-security fixes included in this update:\n\nChanges in crowbar-openstack:\n- Update to version 4.0+git.1604938545.30c10db18:\n * rabbitmq: Fix crm running check (SOC-11240)\n\nChanges in grafana:\n- Fix bnc#1178243 CVE-2020-24303 by adding\n 25401-Fix-XSS-vulnerability-with-series-overrides.patch\n\nChanges in influxdb:\n- Add CVE-2019-20933.patch (bnc#1178988, CVE-2019-20933) to\n fix authentication bypass_\n- Declare license files correctly\n\n- Version 1.2.4:\n * The stress tool influx_stress will be removed in a subsequent\n release.\n * Remove the override of GOMAXPROCS.\n * Uncomment section headers from the default configuration file.\n * Improve write performance significantly.\n * Prune data in meta store for deleted shards.\n * Update latest dependencies with Godeps.\n * Introduce syntax for marking a partial response with chunking.\n * Use X-Forwarded-For IP address in HTTP logger if present.\n * Add support for secure transmission via collectd.\n * Switch logging to use structured logging everywhere.\n * [CLI feature request] USE retention policy for queries.\n * Add clear command to cli.\n * Adding ability to use parameters in queries in the v2 client\n using the Parameters map in the Query struct.\n * Allow add items to array config via ENV\n * Support subquery execution in the query language.\n * Verbose output for SSL connection errors.\n * Cache snapshotting performance improvements\n\n- Partially revert previous change to fix build for Leap\n\nChanges in python-urllib3:\n- Update urllib3-fix-test-urls.patch. Adjust to match upstream solution.\n\n- Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for\n CVE-2019-9740.\n\n- Add urllib3-cve-2020-26137.patch. Don't allow control chars in request\n method. (bnc#1177120, CVE-2020-26137)\n\n ", title: "Description of the patch", }, { category: "details", text: "SUSE-2020-3624,SUSE-OpenStack-Cloud-7-2020-3624", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_3624-1.json", }, { category: "self", summary: "URL for SUSE-SU-2020:3624-1", url: "https://www.suse.com/support/update/announcement/2020/suse-su-20203624-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2020:3624-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2020-December/007916.html", }, { category: "self", summary: "SUSE Bug 1005886", url: "https://bugzilla.suse.com/1005886", }, { category: "self", summary: "SUSE Bug 1170479", url: "https://bugzilla.suse.com/1170479", }, { category: "self", summary: "SUSE Bug 1177120", url: "https://bugzilla.suse.com/1177120", }, { category: "self", summary: "SUSE Bug 1178243", url: "https://bugzilla.suse.com/1178243", }, { category: "self", summary: "SUSE Bug 1178988", url: "https://bugzilla.suse.com/1178988", }, { category: "self", summary: "SUSE CVE CVE-2016-8611 page", url: "https://www.suse.com/security/cve/CVE-2016-8611/", }, { category: "self", summary: "SUSE CVE CVE-2019-20933 page", url: "https://www.suse.com/security/cve/CVE-2019-20933/", }, { category: "self", summary: "SUSE CVE CVE-2019-9740 page", url: "https://www.suse.com/security/cve/CVE-2019-9740/", }, { category: "self", summary: "SUSE CVE CVE-2020-24303 page", url: "https://www.suse.com/security/cve/CVE-2020-24303/", }, { category: "self", summary: "SUSE CVE CVE-2020-26137 page", url: "https://www.suse.com/security/cve/CVE-2020-26137/", }, ], title: "Security update for crowbar-openstack, grafana, influxdb, python-urllib3", tracking: { current_release_date: "2020-12-04T11:50:23Z", generator: { date: "2020-12-04T11:50:23Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2020:3624-1", initial_release_date: "2020-12-04T11:50:23Z", revision_history: [ { date: "2020-12-04T11:50:23Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "grafana-6.7.4-1.20.1.aarch64", product: { name: "grafana-6.7.4-1.20.1.aarch64", product_id: "grafana-6.7.4-1.20.1.aarch64", }, }, { category: "product_version", name: "influxdb-1.2.4-5.1.aarch64", product: { name: "influxdb-1.2.4-5.1.aarch64", product_id: "influxdb-1.2.4-5.1.aarch64", }, }, { category: "product_version", name: "influxdb-devel-1.2.4-5.1.aarch64", product: { name: "influxdb-devel-1.2.4-5.1.aarch64", product_id: "influxdb-devel-1.2.4-5.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", product: { name: "crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", product_id: "crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", }, }, { category: "product_version", name: "python-urllib3-1.16-3.12.1.noarch", product: { name: "python-urllib3-1.16-3.12.1.noarch", product_id: "python-urllib3-1.16-3.12.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "grafana-6.7.4-1.20.1.ppc64le", product: { name: "grafana-6.7.4-1.20.1.ppc64le", product_id: "grafana-6.7.4-1.20.1.ppc64le", }, }, { category: "product_version", name: "influxdb-1.2.4-5.1.ppc64le", product: { name: "influxdb-1.2.4-5.1.ppc64le", product_id: "influxdb-1.2.4-5.1.ppc64le", }, }, { category: "product_version", name: "influxdb-devel-1.2.4-5.1.ppc64le", product: { name: "influxdb-devel-1.2.4-5.1.ppc64le", product_id: "influxdb-devel-1.2.4-5.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "grafana-6.7.4-1.20.1.s390x", product: { name: "grafana-6.7.4-1.20.1.s390x", product_id: "grafana-6.7.4-1.20.1.s390x", }, }, { category: "product_version", name: "influxdb-1.2.4-5.1.s390x", product: { name: "influxdb-1.2.4-5.1.s390x", product_id: "influxdb-1.2.4-5.1.s390x", }, }, { category: "product_version", name: "influxdb-devel-1.2.4-5.1.s390x", product: { name: "influxdb-devel-1.2.4-5.1.s390x", product_id: "influxdb-devel-1.2.4-5.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "grafana-6.7.4-1.20.1.x86_64", product: { name: "grafana-6.7.4-1.20.1.x86_64", product_id: "grafana-6.7.4-1.20.1.x86_64", }, }, { category: "product_version", name: "influxdb-1.2.4-5.1.x86_64", product: { name: "influxdb-1.2.4-5.1.x86_64", product_id: "influxdb-1.2.4-5.1.x86_64", }, }, { category: "product_version", name: "influxdb-devel-1.2.4-5.1.x86_64", product: { name: "influxdb-devel-1.2.4-5.1.x86_64", product_id: "influxdb-devel-1.2.4-5.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE OpenStack Cloud 7", product: { name: "SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud:7", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch as component of SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", }, product_reference: "crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud 7", }, { category: "default_component_of", full_product_name: { name: "grafana-6.7.4-1.20.1.x86_64 as component of SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", }, product_reference: "grafana-6.7.4-1.20.1.x86_64", relates_to_product_reference: "SUSE OpenStack Cloud 7", }, { category: "default_component_of", full_product_name: { name: "influxdb-1.2.4-5.1.x86_64 as component of SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", }, product_reference: "influxdb-1.2.4-5.1.x86_64", relates_to_product_reference: "SUSE OpenStack Cloud 7", }, { category: "default_component_of", full_product_name: { name: "python-urllib3-1.16-3.12.1.noarch as component of SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", }, product_reference: "python-urllib3-1.16-3.12.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud 7", }, ], }, vulnerabilities: [ { cve: "CVE-2016-8611", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-8611", }, ], notes: [ { category: "general", text: "A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2016-8611", url: "https://www.suse.com/security/cve/CVE-2016-8611", }, { category: "external", summary: "SUSE Bug 1005886 for CVE-2016-8611", url: "https://bugzilla.suse.com/1005886", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 4.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, ], threats: [ { category: "impact", date: "2020-12-04T11:50:23Z", details: "low", }, ], title: "CVE-2016-8611", }, { cve: "CVE-2019-20933", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-20933", }, ], notes: [ { category: "general", text: "InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2019-20933", url: "https://www.suse.com/security/cve/CVE-2019-20933", }, { category: "external", summary: "SUSE Bug 1178988 for CVE-2019-20933", url: "https://bugzilla.suse.com/1178988", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, ], threats: [ { category: "impact", date: "2020-12-04T11:50:23Z", details: "important", }, ], title: "CVE-2019-20933", }, { cve: "CVE-2019-9740", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-9740", }, ], notes: [ { category: "general", text: "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2019-9740", url: "https://www.suse.com/security/cve/CVE-2019-9740", }, { category: "external", summary: "SUSE Bug 1129071 for CVE-2019-9740", url: "https://bugzilla.suse.com/1129071", }, { category: "external", summary: "SUSE Bug 1130840 for CVE-2019-9740", url: "https://bugzilla.suse.com/1130840", }, { category: "external", summary: "SUSE Bug 1132663 for CVE-2019-9740", url: "https://bugzilla.suse.com/1132663", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, ], threats: [ { category: "impact", date: "2020-12-04T11:50:23Z", details: "moderate", }, ], title: "CVE-2019-9740", }, { cve: "CVE-2020-24303", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-24303", }, ], notes: [ { category: "general", text: "Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-24303", url: "https://www.suse.com/security/cve/CVE-2020-24303", }, { category: "external", summary: "SUSE Bug 1178243 for CVE-2020-24303", url: "https://bugzilla.suse.com/1178243", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, ], threats: [ { category: "impact", date: "2020-12-04T11:50:23Z", details: "moderate", }, ], title: "CVE-2020-24303", }, { cve: "CVE-2020-26137", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-26137", }, ], notes: [ { category: "general", text: "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-26137", url: "https://www.suse.com/security/cve/CVE-2020-26137", }, { category: "external", summary: "SUSE Bug 1177120 for CVE-2020-26137", url: "https://bugzilla.suse.com/1177120", }, { category: "external", summary: "SUSE Bug 1177211 for CVE-2020-26137", url: "https://bugzilla.suse.com/1177211", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", version: "3.1", }, products: [ "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1.noarch", "SUSE OpenStack Cloud 7:grafana-6.7.4-1.20.1.x86_64", "SUSE OpenStack Cloud 7:influxdb-1.2.4-5.1.x86_64", "SUSE OpenStack Cloud 7:python-urllib3-1.16-3.12.1.noarch", ], }, ], threats: [ { category: "impact", date: "2020-12-04T11:50:23Z", details: "moderate", }, ], title: "CVE-2020-26137", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.