rpm package

suse/crowbar-openstack&distro=SUSE OpenStack Cloud Crowbar 8

pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208

Vulnerabilities (135)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2020-7595	—	< 5.0+git.1582911795.5081ef1da-4.34.3	5.0+git.1582911795.5081ef1da-4.34.3	Jan 21, 2020	xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
CVE-2020-2574	—	< 5.0+git.1582911795.5081ef1da-4.34.3	5.0+git.1582911795.5081ef1da-4.34.3	Jan 15, 2020	Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple prot
CVE-2020-5390	—	< 5.0+git.1593085772.64c4ab43c-4.40.2	5.0+git.1593085772.64c4ab43c-4.40.2	Jan 13, 2020	PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
CVE-2019-19911	—	< 5.0+git.1593085772.64c4ab43c-4.40.2	5.0+git.1593085772.64c4ab43c-4.40.2	Jan 5, 2020	There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho
CVE-2020-5312	—	< 5.0+git.1593085772.64c4ab43c-4.40.2	5.0+git.1593085772.64c4ab43c-4.40.2	Jan 3, 2020	libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
CVE-2020-5313	—	< 5.0+git.1593085772.64c4ab43c-4.40.2	5.0+git.1593085772.64c4ab43c-4.40.2	Jan 3, 2020	libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
CVE-2019-14864	—	< 5.0+git.1599037158.5c4d07480-4.43.1	5.0+git.1599037158.5c4d07480-4.43.1	Jan 2, 2020	Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any s
CVE-2019-16789	—	< 5.0+git.1593085772.64c4ab43c-4.40.2	5.0+git.1593085772.64c4ab43c-4.40.2	Dec 26, 2019	In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain
CVE-2019-16785	—	< 5.0+git.1593085772.64c4ab43c-4.40.2	5.0+git.1593085772.64c4ab43c-4.40.2	Dec 20, 2019	Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if
CVE-2019-16786	—	< 5.0+git.1593085772.64c4ab43c-4.40.2	5.0+git.1593085772.64c4ab43c-4.40.2	Dec 20, 2019	Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separ
CVE-2019-19844	—	< 5.0+git.1599037158.5c4d07480-4.43.1	5.0+git.1599037158.5c4d07480-4.43.1	Dec 18, 2019	Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token fo
CVE-2019-16770	—	< 5.0+git.1582911795.5081ef1da-4.34.3	5.0+git.1582911795.5081ef1da-4.34.3	Dec 5, 2019	In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p
CVE-2019-14856	—	< 5.0+git.1599037158.5c4d07480-4.43.1	5.0+git.1599037158.5c4d07480-4.43.1	Nov 26, 2019	ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None
CVE-2019-10217	—	< 5.0+git.1599037158.5c4d07480-4.43.1	5.0+git.1599037158.5c4d07480-4.43.1	Nov 25, 2019	A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. An
CVE-2019-10206	—	< 5.0+git.1599037158.5c4d07480-4.43.1	5.0+git.1599037158.5c4d07480-4.43.1	Nov 22, 2019	ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger an
CVE-2019-18874	—	< 5.0+git.1593085772.64c4ab43c-4.40.2	5.0+git.1593085772.64c4ab43c-4.40.2	Nov 12, 2019	psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-2974	—	< 5.0+git.1582911795.5081ef1da-4.34.3	5.0+git.1582911795.5081ef1da-4.34.3	Oct 16, 2019	Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mult
CVE-2019-2938	—	< 5.0+git.1582911795.5081ef1da-4.34.3	5.0+git.1582911795.5081ef1da-4.34.3	Oct 16, 2019	Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromi
CVE-2017-1002201	—	< 5.0+git.1582911795.5081ef1da-4.34.3	5.0+git.1582911795.5081ef1da-4.34.3	Oct 15, 2019	In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially e
CVE-2019-14858	—	< 5.0+git.1599037158.5c4d07480-4.43.1	5.0+git.1599037158.5c4d07480-4.43.1	Oct 14, 2019	A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub par

CVE-2020-7595Jan 21, 2020
affected < 5.0+git.1582911795.5081ef1da-4.34.3fixed 5.0+git.1582911795.5081ef1da-4.34.3
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
CVE-2020-2574Jan 15, 2020
affected < 5.0+git.1582911795.5081ef1da-4.34.3fixed 5.0+git.1582911795.5081ef1da-4.34.3
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple prot
CVE-2020-5390Jan 13, 2020
affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus
CVE-2019-19911Jan 5, 2020
affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. Ho
CVE-2020-5312Jan 3, 2020
affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.
CVE-2020-5313Jan 3, 2020
affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
CVE-2019-14864Jan 2, 2020
affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any s
CVE-2019-16789Dec 26, 2019
affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests contain
CVE-2019-16785Dec 20, 2019
affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if
CVE-2019-16786Dec 20, 2019
affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separ
CVE-2019-19844Dec 18, 2019
affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token fo
CVE-2019-16770Dec 5, 2019
affected < 5.0+git.1582911795.5081ef1da-4.34.3fixed 5.0+git.1582911795.5081ef1da-4.34.3
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait p
CVE-2019-14856Nov 26, 2019
affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None
CVE-2019-10217Nov 25, 2019
affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. An
CVE-2019-10206Nov 22, 2019
affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger an
CVE-2019-18874Nov 12, 2019
affected < 5.0+git.1593085772.64c4ab43c-4.40.2fixed 5.0+git.1593085772.64c4ab43c-4.40.2
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-2974Oct 16, 2019
affected < 5.0+git.1582911795.5081ef1da-4.34.3fixed 5.0+git.1582911795.5081ef1da-4.34.3
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via mult
CVE-2019-2938Oct 16, 2019
affected < 5.0+git.1582911795.5081ef1da-4.34.3fixed 5.0+git.1582911795.5081ef1da-4.34.3
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromi
CVE-2017-1002201Oct 15, 2019
affected < 5.0+git.1582911795.5081ef1da-4.34.3fixed 5.0+git.1582911795.5081ef1da-4.34.3
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially e
CVE-2019-14858Oct 14, 2019
affected < 5.0+git.1599037158.5c4d07480-4.43.1fixed 5.0+git.1599037158.5c4d07480-4.43.1
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub par

Page 4 of 7