[Openstack-operators] [Openstack] [OSSA 2014-031] Admin-only network attributes may be reset to defaults by non-privileged users (CVE-2014-6414)
fungi at yuggoth.org
Mon Sep 29 23:58:00 UTC 2014
On 2014-09-30 02:39:08 +0300 (+0300), George Shuklin wrote:
> Security fixes should be continued at least twice longer than normal
You might think that, but we can only support and release security
fixes for software if we can test it. The unfortunate truth is that
as soon as we stop updating stable branches to accommodate changes
in clients and dependent libraries outside of these branches, they
cease working almost immediately and are untestable.
> This model (all important bugfixes released and than no any kind
> of security fixes at all) is just looking like yummy cake for
> 'redistributors' - but no one know if they are capable to backport
> all new fixes or not...
In fact, those distributors are our stable branch maintainers. Like
it or not, the software is written by collaborators, and someone has
to do the work to backport any fixes (security or otherwise).
Unlike many free software projects, a few members of the OpenStack
community actually manage to come together and keep prior releases
working for a time, backport important fixes to them, et cetera. The
overwhelming majority of free software projects do not bother at
all. A couple times a year we review our collective ability to
provide ongoing support for old releases, based on historical trends
for when developers have ceased caring about the fixes necessary to
keep such things working, and plan out stable point release
schedules taking those realistic limitations into account. If you
are sincerely interested in helping with this task, I strongly
recommend getting involved with the stable branch maintainers.
> You can say 'go and upgrade', but usually fresh version of
> openstack is just too raw and buggy. Example: bug in neutron
> (havana) which cause instances to loose networking on reboot was
> fixed year after initial release. And security support was dropped
> right after that release.
This is also a fair criticism, and will only improve with help from
you and other interested developers.
More information about the OpenStack-operators