Bug 1165402 – VUL-1: CVE-2020-5247: rubygem-puma: if an application allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content

Bug 1165402 - (CVE-2020-5247) VUL-1: CVE-2020-5247: rubygem-puma: if an application allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content

(CVE-2020-5247)
Summary:	VUL-1: CVE-2020-5247: rubygem-puma: if an application allows untrusted input ...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Kristoffer Gronlund
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/253987/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-5247:5.3:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-03-02 09:05 UTC by Wolfgang Frisch
Modified:	2021-06-22 18:41 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2020-03-02 09:05:01 UTC

CVE-2020-5247

In Puma (RubyGem) before 4.3.2 and 3.12.2, if an application using Puma allows
untrusted input in a response header, an attacker can use newline characters
(i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content,
such as additional headers or an entirely new response body. This vulnerability
is known as HTTP Response Splitting. While not an attack in itself, response
splitting is a vector for several other attacks, such as cross-site scripting
(XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the
WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by
checking all headers for line endings and rejecting headers with those
characters.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5247
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247
https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
https://owasp.org/www-community/attacks/HTTP_Response_Splitting

Comment 1 Jiří Suchomel 2020-03-03 15:51:26 UTC

We have quite old puma version in SOC, I belive this one:

https://build.suse.de/package/show/Devel:Cloud:Shared:Rubygem/rubygem-puma

The problem mentions it's an additional fix for CVE-2019-16254. but it seems our puma version does not even have fix for CVE-2019-16254

Do we need a fix then? Or both of them? Is it even possible to backport?

Comment 2 Wolfgang Frisch 2020-03-03 17:29:23 UTC

Puma is currently maintained in these code streams:
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update:Products:Cloud7:Update
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
SUSE:SLE-15:Update

(In reply to Jiří Suchomel from comment #1)
> We have quite old puma version in SOC, I belive this one:
> 
> https://build.suse.de/package/show/Devel:Cloud:Shared:Rubygem/rubygem-puma
> 
> The problem mentions it's an additional fix for CVE-2019-16254. but it seems
> our puma version does not even have fix for CVE-2019-16254
CVE-2019-16254 is only mentioned in relation to this CVE due to its similarity, but doesn't appear to have a direct relationship otherwise.

> Do we need a fix then? Or both of them? Is it even possible to backport?
HTTP Response Splitting vulnerabilities like this one are only exploitable if the application embeds untrusted user data into its HTTP response headers [1].

In cases where Puma is only used internally, a backport could be possibly avoided, by implementing a short workaround provided by upstream [2] in the internal application that uses Puma. Actually fixing the library itself would be preferable, though.

Versions of the library that are shipped to customers however, definitely need to be fixed, for example version 3.11.0 in SLE-Product-HA_15-SP1 (High Availability Extensions), which draws from the code stream SUSE:SLE-15:Update. In this case updating to the upstream-provided version 3.12.4 [3] should be sufficient.

[1] https://owasp.org/www-community/attacks/HTTP_Response_Splitting
[2] https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
[3] https://rubygems.org/gems/puma/versions/3.12.4

Comment 3 Jiří Suchomel 2020-03-04 10:35:27 UTC

So I assume this is the commit that fixes 3.12.3 version:

https://github.com/puma/puma/commit/e79a5b28f618fa04b7060c87f0da34d299462416


Not that complicated, however compared to our version (2.16.0), the code in lib/puma/server.rb looks bit different, as expected...

(We do not have that @early_hints block, but other parts could be backported quite easily I think)


Let's also check the workaround - TBH I'm not sure where to apply it...

Comment 4 Jiří Suchomel 2020-03-04 15:02:49 UTC

So, actually. patching the sources seems easier for SOC than implementing a workaround and adapting the way we are starting puma.

Wolfgang, can you please take a look at 


https://build.suse.de/package/rdiff/home:jsuchome:branches:Devel:Cloud:Shared:Rubygem/rubygem-puma?opackage=rubygem-puma&oproject=Devel%3ACloud%3AShared%3ARubygem&rev=2


If you agree that this is correct, I'll create a SR to Devel:Cloud:Shared:Rubygem

Comment 5 Wolfgang Frisch 2020-03-04 15:31:27 UTC

(In reply to Jiří Suchomel from comment #4)
> So, actually. patching the sources seems easier for SOC than implementing a
> workaround and adapting the way we are starting puma.
> 
> Wolfgang, can you please take a look at 
> 
> 
> https://build.suse.de/package/rdiff/home:jsuchome:branches:Devel:Cloud:
> Shared:Rubygem/rubygem-puma?opackage=rubygem-
> puma&oproject=Devel%3ACloud%3AShared%3ARubygem&rev=2
> 
> 
> If you agree that this is correct, I'll create a SR to
> Devel:Cloud:Shared:Rubygem

The patch appears to be functionally correct. Please feel free to submit!

Comment 6 Jiří Suchomel 2020-03-06 08:55:31 UTC

https://build.suse.de/request/show/213216

Comment 9 Swamp Workflow Management 2020-04-22 16:16:21 UTC

SUSE-SU-2020:1066-1: An update that solves 9 vulnerabilities and has 14 fixes is now available.

Category: security (moderate)
Bug References: 1040519,1048688,1077718,1111180,1114157,1114169,1115904,1125357,1129734,1132852,1133817,1135773,1145498,1146206,1148426,1149110,1149535,1151206,1165402,1165643,1166290,1167240,144694
CVE References: CVE-2017-5637,CVE-2018-10851,CVE-2018-14626,CVE-2019-0201,CVE-2019-11596,CVE-2019-15026,CVE-2019-3871,CVE-2020-5247,CVE-2020-9543
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    crowbar-core-5.0+git.1585575551.16781d00d-3.38.1, crowbar-ha-5.0+git.1585316176.344190f-3.32.1, crowbar-openstack-5.0+git.1585304226.2164b7895-4.37.1, documentation-suse-openstack-cloud-deployment-8.20200319-1.23.1, documentation-suse-openstack-cloud-supplement-8.20200319-1.23.1, documentation-suse-openstack-cloud-upstream-admin-8.20200319-1.23.1, documentation-suse-openstack-cloud-upstream-user-8.20200319-1.23.1, memcached-1.5.17-3.3.1, openstack-manila-5.1.1~dev5-3.26.2, openstack-manila-doc-5.1.1~dev5-3.26.1, openstack-neutron-11.0.9~dev63-3.30.2, openstack-neutron-doc-11.0.9~dev63-3.30.1, openstack-nova-16.1.9~dev61-3.35.2, openstack-nova-doc-16.1.9~dev61-3.35.1, python-amqp-2.4.2-3.9.1, rubygem-puma-2.16.0-3.6.1, zookeeper-3.4.10-3.6.1
SUSE OpenStack Cloud 8 (src):    ardana-ansible-8.0+git.1583432621.24fa60e-3.70.1, ardana-barbican-8.0+git.1585152761.8ef3d61-4.33.1, ardana-db-8.0+git.1583944923.03cca6c-3.31.1, ardana-monasca-8.0+git.1583944894.38f023a-3.24.1, ardana-mq-8.0+git.1583944811.dc14403-3.19.1, ardana-neutron-8.0+git.1584715262.e4ea620-3.39.1, ardana-octavia-8.0+git.1585171918.418f5cf-3.26.1, ardana-tempest-8.0+git.1585311051.6ab5488-3.33.1, documentation-suse-openstack-cloud-installation-8.20200319-1.23.1, documentation-suse-openstack-cloud-operations-8.20200319-1.23.1, documentation-suse-openstack-cloud-opsconsole-8.20200319-1.23.1, documentation-suse-openstack-cloud-planning-8.20200319-1.23.1, documentation-suse-openstack-cloud-security-8.20200319-1.23.1, documentation-suse-openstack-cloud-supplement-8.20200319-1.23.1, documentation-suse-openstack-cloud-upstream-admin-8.20200319-1.23.1, documentation-suse-openstack-cloud-upstream-user-8.20200319-1.23.1, documentation-suse-openstack-cloud-user-8.20200319-1.23.1, memcached-1.5.17-3.3.1, openstack-manila-5.1.1~dev5-3.26.2, openstack-manila-doc-5.1.1~dev5-3.26.1, openstack-neutron-11.0.9~dev63-3.30.2, openstack-neutron-doc-11.0.9~dev63-3.30.1, openstack-nova-16.1.9~dev61-3.35.2, openstack-nova-doc-16.1.9~dev61-3.35.1, pdns-4.1.2-3.6.1, python-amqp-2.4.2-3.9.1, venv-openstack-aodh-5.1.1~dev7-12.24.1, venv-openstack-barbican-5.0.2~dev3-12.25.1, venv-openstack-ceilometer-9.0.8~dev7-12.22.1, venv-openstack-cinder-11.2.3~dev23-14.25.1, venv-openstack-designate-5.0.3~dev7-12.23.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.20.1, venv-openstack-glance-15.0.3~dev3-12.23.1, venv-openstack-heat-9.0.8~dev22-12.25.1, venv-openstack-ironic-9.1.8~dev8-12.25.1, venv-openstack-keystone-12.0.4~dev5-11.26.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.24.1, venv-openstack-manila-5.1.1~dev5-12.29.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.20.1, venv-openstack-murano-4.0.2~dev2-12.20.1, venv-openstack-neutron-11.0.9~dev63-13.28.1, venv-openstack-nova-16.1.9~dev61-11.26.1, venv-openstack-octavia-1.0.6~dev3-12.25.1, venv-openstack-sahara-7.0.5~dev4-11.24.1, venv-openstack-trove-8.0.2~dev2-11.24.1, zookeeper-3.4.10-3.6.1
HPE Helion Openstack 8 (src):    ardana-ansible-8.0+git.1583432621.24fa60e-3.70.1, ardana-barbican-8.0+git.1585152761.8ef3d61-4.33.1, ardana-db-8.0+git.1583944923.03cca6c-3.31.1, ardana-monasca-8.0+git.1583944894.38f023a-3.24.1, ardana-mq-8.0+git.1583944811.dc14403-3.19.1, ardana-neutron-8.0+git.1584715262.e4ea620-3.39.1, ardana-octavia-8.0+git.1585171918.418f5cf-3.26.1, ardana-tempest-8.0+git.1585311051.6ab5488-3.33.1, documentation-hpe-helion-openstack-installation-8.20200319-1.23.1, documentation-hpe-helion-openstack-operations-8.20200319-1.23.1, documentation-hpe-helion-openstack-opsconsole-8.20200319-1.23.1, documentation-hpe-helion-openstack-planning-8.20200319-1.23.1, documentation-hpe-helion-openstack-security-8.20200319-1.23.1, documentation-hpe-helion-openstack-user-8.20200319-1.23.1, memcached-1.5.17-3.3.1, openstack-manila-5.1.1~dev5-3.26.2, openstack-manila-doc-5.1.1~dev5-3.26.1, openstack-neutron-11.0.9~dev63-3.30.2, openstack-neutron-doc-11.0.9~dev63-3.30.1, openstack-nova-16.1.9~dev61-3.35.2, openstack-nova-doc-16.1.9~dev61-3.35.1, pdns-4.1.2-3.6.1, python-amqp-2.4.2-3.9.1, venv-openstack-aodh-5.1.1~dev7-12.24.1, venv-openstack-barbican-5.0.2~dev3-12.25.1, venv-openstack-ceilometer-9.0.8~dev7-12.22.1, venv-openstack-cinder-11.2.3~dev23-14.25.1, venv-openstack-designate-5.0.3~dev7-12.23.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.20.1, venv-openstack-glance-15.0.3~dev3-12.23.1, venv-openstack-heat-9.0.8~dev22-12.25.1, venv-openstack-ironic-9.1.8~dev8-12.25.1, venv-openstack-keystone-12.0.4~dev5-11.26.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.24.1, venv-openstack-manila-5.1.1~dev5-12.29.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.20.1, venv-openstack-murano-4.0.2~dev2-12.20.1, venv-openstack-neutron-11.0.9~dev63-13.28.1, venv-openstack-nova-16.1.9~dev61-11.26.1, venv-openstack-octavia-1.0.6~dev3-12.25.1, venv-openstack-sahara-7.0.5~dev4-11.24.1, venv-openstack-trove-8.0.2~dev2-11.24.1, zookeeper-3.4.10-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2020-05-05 16:33:55 UTC

SUSE-SU-2020:1190-1: An update that solves 5 vulnerabilities and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1084739,1124708,1133817,1135773,1137622,1149110,1149535,1163444,1164838,1165402,1165723,1166290,1168512,1168593,1169770
CVE References: CVE-2019-0201,CVE-2019-11596,CVE-2019-15026,CVE-2020-5247,CVE-2020-9543
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-core-6.0+git.1587558898.313bb9fd3-3.22.2, crowbar-ha-6.0+git.1586256059.e6f67e1-3.16.1, crowbar-openstack-6.0+git.1587753188.da39e44a7-3.22.1, memcached-1.5.17-3.3.1, openstack-ceilometer-11.1.1~dev5-3.13.2, openstack-cinder-13.0.10~dev9-3.19.1, openstack-designate-7.0.1~dev25-3.16.2, openstack-heat-11.0.3~dev35-3.16.1, openstack-ironic-11.1.5~dev3-3.16.1, openstack-ironic-image-9.0.0-3.6.1, openstack-manila-7.4.2~dev4-4.21.1, openstack-neutron-13.0.8~dev28-3.22.1, openstack-nova-18.3.1~dev17-3.22.1, openstack-octavia-3.2.3~dev2-3.22.1, openstack-octavia-amphora-image-0.1.3-7.9.2, python-cinderclient-4.0.3-3.6.2, python-glanceclient-2.13.2-3.3.2, python-ironic-lib-2.14.3-3.6.1, python-ironicclient-2.5.4-4.10.1, python-keystonemiddleware-5.2.2-17.1, python-manila-tempest-plugin-0.1.0-3.6.1, python-novaclient-11.0.1-3.3.1, python-octaviaclient-1.6.2-3.6.1, python-openstackclient-3.16.3-11.1, python-os-brick-2.5.10-3.9.2, python-oslo.config-6.4.2-3.3.1, python-oslo.rootwrap-5.14.2-3.3.1, python-oslo.utils-3.36.5-3.3.1, python-swiftclient-3.6.1-3.3.1, python-watcherclient-2.1.1-3.3.1, release-notes-suse-openstack-cloud-9.20200319-3.18.1, rubygem-crowbar-client-3.9.2-3.6.1, rubygem-puma-2.16.0-4.6.1, zookeeper-3.4.13-3.3.1
SUSE OpenStack Cloud 9 (src):    ardana-ansible-9.0+git.1587034359.a12678b-3.19.1, ardana-barbican-9.0+git.1583953599.cd723bb-3.10.1, ardana-cluster-9.0+git.1585653734.c1fe3b2-3.13.1, ardana-db-9.0+git.1586543314.6b6aa20-3.19.1, ardana-designate-9.0+git.1583445435.4bd1793-3.10.1, ardana-input-model-9.0+git.1584632190.9541c56-3.16.1, ardana-logging-9.0+git.1585929695.f35b591-3.10.1, ardana-monasca-9.0+git.1586769889.d43d736-3.16.1, ardana-mq-9.0+git.1586350749.a463fd2-3.13.1, ardana-neutron-9.0+git.1587667603.507fb50-3.19.1, ardana-octavia-9.0+git.1587486004.8e99c6b-3.16.1, ardana-osconfig-9.0+git.1586546715.dbd07ab-3.16.1, ardana-tempest-9.0+git.1587398456.b31cc4a-3.13.1, ardana-tls-9.0+git.1586301209.c9413b4-3.12.1, memcached-1.5.17-3.3.1, openstack-ceilometer-11.1.1~dev5-3.13.2, openstack-cinder-13.0.10~dev9-3.19.1, openstack-designate-7.0.1~dev25-3.16.2, openstack-heat-11.0.3~dev35-3.16.1, openstack-ironic-11.1.5~dev3-3.16.1, openstack-ironic-image-9.0.0-3.6.1, openstack-manila-7.4.2~dev4-4.21.1, openstack-neutron-13.0.8~dev28-3.22.1, openstack-nova-18.3.1~dev17-3.22.1, openstack-octavia-3.2.3~dev2-3.22.1, openstack-octavia-amphora-image-0.1.3-7.9.2, python-cinderclient-4.0.3-3.6.2, python-glanceclient-2.13.2-3.3.2, python-ironic-lib-2.14.3-3.6.1, python-ironicclient-2.5.4-4.10.1, python-keystonemiddleware-5.2.2-17.1, python-manila-tempest-plugin-0.1.0-3.6.1, python-novaclient-11.0.1-3.3.1, python-octaviaclient-1.6.2-3.6.1, python-openstackclient-3.16.3-11.1, python-os-brick-2.5.10-3.9.2, python-oslo.config-6.4.2-3.3.1, python-oslo.rootwrap-5.14.2-3.3.1, python-oslo.utils-3.36.5-3.3.1, python-swiftclient-3.6.1-3.3.1, python-watcherclient-2.1.1-3.3.1, release-notes-suse-openstack-cloud-9.20200319-3.18.1, venv-openstack-barbican-7.0.1~dev24-3.17.1, venv-openstack-cinder-13.0.10~dev9-3.17.1, venv-openstack-designate-7.0.1~dev25-3.17.1, venv-openstack-glance-17.0.1~dev30-3.15.1, venv-openstack-heat-11.0.3~dev35-3.17.1, venv-openstack-horizon-14.1.1~dev1-4.16.1, venv-openstack-ironic-11.1.5~dev3-4.13.1, venv-openstack-keystone-14.1.1~dev36-3.17.1, venv-openstack-magnum-7.2.1~dev1-4.17.1, venv-openstack-manila-7.4.2~dev4-3.19.1, venv-openstack-monasca-2.7.1~dev10-3.15.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.17.1, venv-openstack-neutron-13.0.8~dev28-6.17.1, venv-openstack-nova-18.3.1~dev17-3.17.1, venv-openstack-octavia-3.2.3~dev2-4.17.1, venv-openstack-sahara-9.0.2~dev15-3.17.1, venv-openstack-swift-2.19.2~dev48-2.12.1, zookeeper-3.4.13-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2020-07-28 19:12:37 UTC

SUSE-SU-2020:2060-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1158675,1165402,1172175,1172176
CVE References: CVE-2019-16770,CVE-2020-11076,CVE-2020-11077,CVE-2020-5247
JIRA References: 
Sources used:
SUSE OpenStack Cloud 6-LTSS (src):    rubygem-puma-2.16.0-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2020-07-29 19:15:52 UTC

SUSE-RU-2020:2072-1: An update that solves 31 vulnerabilities and has 8 fixes is now available.

Category: recommended (low)
Bug References: 1037777,1068612,1069468,1070737,1077718,1083903,1111657,1126503,1133817,1135773,1138748,1148383,1149110,1149535,1153191,1156525,1159447,1160152,1160153,1160192,1160790,1160851,1161088,1161089,1161349,1161670,1164316,1165402,1167244,1170657,1171560,1171909,1172166,1172167,1172175,1172176,1172409,948198,981848
CVE References: CVE-2017-1000246,CVE-2017-4965,CVE-2017-4967,CVE-2018-1000115,CVE-2019-0201,CVE-2019-11596,CVE-2019-15026,CVE-2019-15043,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-18874,CVE-2019-19844,CVE-2019-19911,CVE-2019-3498,CVE-2019-3828,CVE-2020-10663,CVE-2020-10743,CVE-2020-11076,CVE-2020-11077,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5247,CVE-2020-5312,CVE-2020-5313,CVE-2020-5390,CVE-2020-8151
JIRA References: ECO-1256,SOC-10357,SOC-11067,SOC-11077,SOC-11079,SOC-11082,SOC-11122,SOC-11174,SOC-11187,SOC-11224,SOC-11238,SOC-11243,SOC-11248,SOC-11251,SOC-11286,SOC-9298,SOC-9801
Sources used:
SUSE OpenStack Cloud 7 (src):    ansible-2.2.3.0-12.2, crowbar-core-4.0+git.1580209654.1d112d31f-9.66.5, crowbar-ha-4.0+git.1585316203.d6ad2c8-4.52.4, crowbar-openstack-4.0+git.1589804581.9972163f0-9.71.4, grafana-4.6.5-1.14.1, keepalived-2.0.19-1.8.1, kibana-4.6.3-5.1, memcached-1.5.17-3.6.1, monasca-installer-20180608_12.47-12.1, openstack-dashboard-theme-SUSE-2016.2-5.12.4, openstack-manila-3.0.1~dev30-4.12.2, openstack-manila-doc-3.0.1~dev30-4.12.3, openstack-neutron-fwaas-9.0.2~dev5-4.9.3, openstack-neutron-fwaas-doc-9.0.2~dev5-4.9.4, openstack-nova-14.0.11~dev13-4.40.2, openstack-nova-doc-14.0.11~dev13-4.40.2, openstack-tempest-12.2.1~a0~dev177-4.9.1, python-Django-1.8.19-3.23.1, python-Pillow-2.8.1-4.12.1, python-psql2mysql-0.5.0+git.1589351878.4ef877c-1.12.1, python-psutil-1.2.1-21.1, python-py-1.8.1-11.12.1, python-pysaml2-4.0.2-3.17.1, python-waitress-1.4.3-3.3.1, rabbitmq-server-3.4.4-3.16.1, release-notes-suse-openstack-cloud-7.20180803-3.18.3, rubygem-activeresource-4.0.0-3.3.1, rubygem-crowbar-client-3.9.2-7.20.1, rubygem-json-1_7-1.7.7-3.3.1, rubygem-puma-2.16.0-4.6.1, zookeeper-3.4.10-6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Wolfgang Frisch 2020-12-09 17:44:24 UTC

All fixed except SUSE:SLE-15:Update