This will help the security team to focus on the CVEs that do not
have a launchpad already open, reducing the overhead of analysis of CVEs
already presented to the development team.
CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists
Closes-Bug: 1852825
Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
Signed-off-by: Robin Lu <email address hidden>
commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500
Uprev ruby and associated gems to subminor ver 36
All affected packages are moved forward to their -36 version.
This solves:
ruby: Unintentional directory traversal by poisoned NULL byte
in Dir (CVE-2018-8780)
rubygems: Improper verification of signatures in tarball
allows to install mis-signed gem (CVE-2018-1000076)
Note that rubygem-json is moved back to version 1.7.7-36 as it
should never have been moved to 2.0.2-2 in the first place. That
appears to have occurred accidentally, taking the package from
opstools instead of os when moving to CentOS 7.6.
Extra CVE bugs: CVE-2018-14598, CVE-2018-15853, CVE-2018-15854,
CVE-2018-15855, CVE-2018-15856, CVE-2018-15857, CVE-2018-15859,
CVE-2018-15861, CVE-2018-15862, CVE-2018-15863, CVE-2018-15864
These extra CVE bugs are fixed together. Although libxkbcommon
has a low score, we are including it here anyway just to stay
consistent with RedHat's bundling decision.
Change-Id: Ia0fcc7184efea5b31408d7514921b58377beb329
Partial-Bug: 1849200
Signed-off-by: Jim Somerville <email address hidden>
commit e47f347e9fd9be6707ed35b812f45f2138bb622b
Author: Angie Wang <email address hidden>
Date: Tue Nov 19 13:46:43 2019 -0500
Upgrade botocore package
Upgrade botocore package from 1.6.0 to 1.12.75.
The new version fixed the ipv6 proxy management issue.
Change-Id: Ib82df18ed9ea72fcff9f029289dac2491fe80e81
Partial-Bug: 1853024
Signed-off-by: Angie Wang <email address hidden>
commit b1660fe4a352e1c5ee190e5dc62f4a95c9089b30
Author: Jim Somerville <email address hidden>
Date: Fri Nov 15 16:21:52 2019 -0500
i40e Driver Upgrade in support of N3000 on-board NICs
Uprev i40e to version 2.10.19.30
i40evf gets replaced by iavf version 3.7.61.20
The iavf driver supports both fortville and columbiaville,
so they decided to rename from i40evf to something more generic.
The Intel FPGA Programmable Acceleration Card N3000 contains
dual Intel XL710 NICs and an FPGA for acceleration purposes.
This driver upgrade is required to support those NICs.
Uprade openstack-helm to
Commit-id:82c72367c85ca94270f702661c7b984899c1ae38
Upgrade openstack-helm-infra to
Commit-id:c9d6676bf9a5aceb311dc31dadd07cba6a3d6392
Reviewed: https:/ /review. opendev. org/698553 /git.openstack. org/cgit/ starlingx/ tools/commit/ ?id=202776a1871 84e536adce99b3b 0f0ce1ce04fdee
Committed: https:/
Submitter: Zuul
Branch: f/centos8
commit 063e29fe2e12a30 6be51755e994d8e b10b2d3614
Author: VictorRodriguez <email address hidden>
Date: Wed Nov 27 17:39:51 2019 -0600
Add feature to check if a CVE has an open launchpad
This change enables the capability to track if a CVE to be fixed already /bugs.launchpad .net/starlingx/
has an open launchpad in starlingx: https:/
This will help the security team to focus on the CVEs that do not
have a launchpad already open, reducing the overhead of analysis of CVEs
already presented to the development team.
Story:2006971
Change-Id: I494f0221cb52a4 bf7ace20d75e067 b17c719d749
Signed-off-by: VictorRodriguez <email address hidden>
commit 1d33f5ae60201a6 d1baba026a6503e a43843b3ab
Author: Robin Lu <email address hidden>
Date: Mon Nov 11 16:47:49 2019 +0800
Update OVMF rpm, due to CVE bug.
CVE bug: CVE-2019-0160 /lists. centos. org/pipermail/ centos- cr-announce/ 2019-August/ 006035. html
The updated rpm is selected from the below link.
https:/
Tests:
simplex, duplex, multi-node
Closes-Bug: 1849205
Change-Id: Ifdbbd82de91248 8af201f028a65c6 79acc204ed9
Signed-off-by: Robin Lu <email address hidden>
commit d964e258beb0c75 b5a23ec7db1b523 f263db7c9f
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 15:51:29 2019 -0500
Uprev ntp to version 4.2.6p5-29.el7
This solves:
ntp: Stack-based buffer overflow in ntpq and ntpdc allows
denial of service or code execution (CVE-2018-12327)
See the announcement link:
https:/ /lists. centos. org/pipermail/ centos- cr-announce/ 2019-August/ 006016. html
for more details.
Change-Id: Ic92fd6af30bf05 c6f40cb6a6c60e0 bc3811ff22a
Partial-Bug: 1849197
Signed-off-by: Jim Somerville <email address hidden>
commit c75164899fb0d24 2022338d67144c0 6be7c5b32f
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 16:08:13 2019 +0800
Update sudo srpm for CVE bug
To fix below CVE, we will use sudo-1. 8.23-4. el7_7.1. src.rpm /lists. centos. org/pipermail/ centos- announce/ 2019-October/ 023499. html
https:/
CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists
Closes-Bug: 1852825
Change-Id: Iaafc053fe6e3b5 8468b5fa7c47dbc 0f61a2d3c44
Signed-off-by: Robin Lu <email address hidden>
commit ea25ae6f265f6a9 531dd72a8576462 a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500
Uprev ruby and associated gems to subminor ver 36
All affected packages are moved forward to their -36 version.
This solves:
ruby: Unintentional directory traversal by poisoned NULL byte
in Dir (CVE-2018-8780)
rubygems: Improper verification of signatures in tarball
allows to install mis-signed gem (CVE-2018-1000076)
along with numerous other issues.
See the announcement link:
https:/ /lists. centos. org/pipermail/ centos- cr-announce/ 2019-August/ 006124. html
for more details.
Note that rubygem-json is moved back to version 1.7.7-36 as it
should never have been moved to 2.0.2-2 in the first place. That
appears to have occurred accidentally, taking the package from
opstools instead of os when moving to CentOS 7.6.
Change-Id: I732a0ddba6e2aa 5ebda0e10f6e633 f60c162890c
Closes-Bug: 1849195
Closes-Bug: 1849203
Signed-off-by: Jim Somerville <email address hidden>
commit badc87aec310748 399164c4f4d610a d4b39c8056
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 11:55:56 2019 -0500
Uprev wget to version 1.14-18.el7_6.1
This solves:
wget: do_conversion() heap-based buffer overflow
vulnerability (CVE-2019-5953)
See the announcement link:
https:/ /lists. centos. org/pipermail/ centos- announce/ 2019-May/ 023316. html
for more details.
Change-Id: I0e1c47f95b0cb6 43703d71367d1e9 aa10870859b
Closes-Bug: 1849210
Signed-off-by: Jim Somerville <email address hidden>
commit 855ef14c832c88e e41d4cae05fdd0f 6bbf8e38c7
Author: Jim Somerville <email address hidden>
Date: Thu Nov 21 18:44:38 2019 -0500
Uprev elfutils to version 0.176-2.el7
This solves:
elfutils: Double-free due to double decompression of sections in
crafted ELF causes crash (CVE-2018-16402)
along with quite a few other issues.
See the announcement link:
https:/ /lists. centos. org/pipermail/ centos- cr-announce/ 2019-August/ 005856. html
for more details.
Change-Id: Ia328b6043c1815 a023ab45ea6f814 2dcef91864b
Closes-Bug: 1849201
Signed-off-by: Jim Somerville <email address hidden>
commit 647676c20202217 5a331c29a79dba2 0ef88e9f74
Author: Jim Somerville <email address hidden>
Date: Thu Nov 21 18:23:21 2019 -0500
Uprev polkit to version 0.112-22.el7
This solves:
polkit: Improper handling of user with uid > INT_MAX leading
to authentication bypass (CVE-2018-19788)
See the announcement link:
https:/ /lists. centos. org/pipermail/ centos- cr-announce/ 2019-August/ 006051. html
for more details.
Change-Id: I6eb69cd129b2b6 d0e115f65b42f99 7d2b3f69d9a
Closes-Bug: 1849202
Signed-off-by: Jim Somerville <email address hidden>
commit e4ea643e3cfbf33 03e49b36915d3eb 87b7fb4033
Author: blu <email address hidden>
Date: Thu Nov 7 14:32:01 2019 +0800
Update libX11 related rpms, due to CVE bugs
CVE bugs: CVE-2018-14599, CVE-2018-14600
Extra CVE bugs: CVE-2018-14598, CVE-2018-15853, CVE-2018-15854,
CVE-2018-15855, CVE-2018-15856, CVE-2018-15857, CVE-2018-15859,
CVE-2018-15861, CVE-2018-15862, CVE-2018-15863, CVE-2018-15864
These extra CVE bugs are fixed together. Although libxkbcommon
has a low score, we are including it here anyway just to stay
consistent with RedHat's bundling decision.
The updated rpms are selected from the link provided by RedHat. /access. redhat. com/errata/ RHSA-2019: 2079)
(https:/
Tests:
simplex, duplex, multi-node
Closes-Bug: 1849198
Closes-Bug: 1849199
Change-Id: I184ff40d855c60 d4824e28f2fe701 230191d62b0
Signed-off-by: Robin Lu <email address hidden>
commit 391b7d5e3485d9b c04e642889da7fc 1166dbfdec
Author: Jim Somerville <email address hidden>
Date: Thu Nov 21 14:29:44 2019 -0500
Uprev systemd to version 219-67.el7
This solves:
systemd: line splitting via fgets() allows for state injection
during daemon-reexec (CVE-2018-15686)
along with some other less critical issues. See the security
announcement link:
https:/ /lists. centos. org/pipermail/ centos- cr-announce/ 2019-August/ 006149. html
for more details.
Change-Id: Ia0fcc7184efea5 b31408d7514921b 58377beb329
Partial-Bug: 1849200
Signed-off-by: Jim Somerville <email address hidden>
commit e47f347e9fd9be6 707ed35b812f45f 2138bb622b
Author: Angie Wang <email address hidden>
Date: Tue Nov 19 13:46:43 2019 -0500
Upgrade botocore package
Upgrade botocore package from 1.6.0 to 1.12.75.
The new version fixed the ipv6 proxy management issue.
Change-Id: Ib82df18ed9ea72 fcff9f029289dac 2491fe80e81
Partial-Bug: 1853024
Signed-off-by: Angie Wang <email address hidden>
commit b1660fe4a352e1c 5ee190e5dc62f4a 95c9089b30
Author: Jim Somerville <email address hidden>
Date: Fri Nov 15 16:21:52 2019 -0500
i40e Driver Upgrade in support of N3000 on-board NICs
Uprev i40e to version 2.10.19.30
i40evf gets replaced by iavf version 3.7.61.20
The iavf driver supports both fortville and columbiaville,
so they decided to rename from i40evf to something more generic.
The Intel FPGA Programmable Acceleration Card N3000 contains
dual Intel XL710 NICs and an FPGA for acceleration purposes.
This driver upgrade is required to support those NICs.
Story: 2006740 412acda5f5e2ee7 dc33729d40d
Task: 37542
Change-Id: I53c731c1b519b1
Signed-off-by: Jim Somerville <email address hidden>
commit bc125699793b97e 7dd14d05b2b6b62 0fed03d5f1
Author: zhipengl <email address hidden>
Date: Tue Oct 8 18:40:33 2019 +0800
Update download list for openstack-helm upgrade
Uprade openstack-helm to id:82c72367c85c a94270f702661c7 b984899c1ae38 helm-infra to id:c9d6676bf9a5 aceb311dc31dadd 07cba6a3d6392
Commit-
Upgrade openstack-
Commit-
Story: 2006544
Task: 36623
Change-Id: I991512ef3b0bd9 869aa795e4a50a4 1d5ca187148
Signed-off-by: zhipengl <email address hidden>