[Openstack-security] [Bug 1244025] Re: Remote security group criteria don't work in Midonet plugin
Thierry Carrez
thierry.carrez+lp at gmail.com
Thu Mar 20 12:58:21 UTC 2014
>From the Security team perspective, we need to fix this both in icehouse
and in havana, and the icehouse patch is way too featureful to be
acceptable in the stable branch. So the decision to accept a feature
freeze exception for this is a bit orthogonal to the idea of fixing the
security issue.
I see two ways out of this maze at this point:
(1) Create a patch that fixes the security issue (and only the security
issue) that we would apply to havana *and* icehouse
(2) Create a patch that fixes the security issue (and only the security
issue) that we would apply to havana. Approve an exception to feature
freeze to push the complete new version (that also happen to fix the
security issue) to icehouse.
Given that in both cases we need to create a lightweight havana patch
for the security issue (and that this patch is likely to be compatible
with the current icehouse version as well), I'd very much prefer we let
the neutron folks concentrate on bugfixing by not distracting them with
a late feature freeze exception, and therefore follow solution (2) as a
solution for this security issue.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1244025
Title:
Remote security group criteria don't work in Midonet plugin
Status in OpenStack Neutron (virtual network service):
In Progress
Status in neutron havana series:
New
Status in OpenStack Security Advisories:
Confirmed
Bug description:
When creating a security rule that specifies a remote security group
(rather than a CIDR range), the Midonet plugin does not enforce this
criterion. With an egress rule, for example, one of the criteria for a
particular rule may be that only traffic to security group A will be
allowed out. This criterion is ignored, and traffic will be allowed
out regardless of the destination security group, provided that it
conforms to the rule's other criteria.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1244025/+subscriptions
More information about the Openstack-security
mailing list