[Openstack-security] [Bug 1244025] Re: Remote security group criteria don't work in Midonet plugin

Tomoe Sugihara 1244025 at bugs.launchpad.net
Thu Mar 20 05:50:26 UTC 2014 

Hi Thierry, Mark,

I'd like to discuss how to proceed to fix this security issue ASAP in Icehouse, and we have a patch https://review.openstack.org/#/c/78543/.
However the patch is flagged with "-2" so it's not been reviewed.
Given the severity of the issue, would it be possible for that review to be considered as a bug fix for Icehouse? or Should we request a FFE in order to fix this in Icehouse?

Just to recap, The reason why it flagged as "-2" was because it missed the Icehouse-3 deadline. However, the patch was a replacement of the original one(https://review.openstack.org/#/c/74193/), which was submitted in mid Feb in time for FeatureProposalFreeze. We replaced the original one with 3 smaller patches because we were suggested to split into smaller patches right before the I-3 deadline.
The patch is tricky in that it implements a blueprint and includes the fix for this issue. But, please note that the blueprint is just for implementing our plugin or just refactoring work to have feature parity of havana with a little extention API included. It doesn't touch the Neutron core code (except for a single migration script), so it shouldn't introduce any regressions in Neutron core.

If you could suggest us how to proceed, that would be great.
We have allotted dedicated resource to this one to react promptly.

Thanks!

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1244025

Title:
  Remote security group criteria don't work in Midonet plugin

Status in OpenStack Neutron (virtual network service):
  In Progress
Status in neutron havana series:
  New
Status in OpenStack Security Advisories:
  Confirmed

Bug description:
  When creating a security rule that specifies a remote security group
  (rather than a CIDR range), the Midonet plugin does not enforce this
  criterion. With an egress rule, for example, one of the criteria for a
  particular rule may be that only traffic to security group A will be
  allowed out. This criterion is ignored, and traffic will be allowed
  out regardless of the destination security group, provided that it
  conforms to the rule's other criteria.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1244025/+subscriptions

More information about the Openstack-security mailing list