From gerrit2 at review.openstack.org Mon Apr 3 16:35:05 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 03 Apr 2017 16:35:05 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/401808 Log: commit 9e73255de2143cf1ad87c45ad5775d7b1e7a9482 Author: Adam Young Date: Thu Nov 3 20:13:07 2016 -0400 URL pattern based RBAC Management Interface A new entity in the Role backend that maps from VERB URL-Pattern to Role. I.E. from GET /v2/users to Member Beyond the backend and CRUD API for URL patterns there is also a Bulk Upload and management API. No RBAC enforcement is done in this commit, just management of the data that will be used in Keystone middleware. blueprint token-verify-role-check SecurityImpact APIImpact Co-Authored-By: Kristi Nikolla Change-Id: I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb From 1625833 at bugs.launchpad.net Mon Apr 3 16:21:43 2017 From: 1625833 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 03 Apr 2017 16:21:43 -0000 Subject: [Openstack-security] [Bug 1625833] Re: Prevent open redirects as a result of workflow action References: <20160920214728.9448.43144.malonedeb@chaenomeles.canonical.com> Message-ID: <20170403162144.25721.2829.launchpad@chaenomeles.canonical.com> ** Changed in: horizon Assignee: (unassigned) => Julie Gravel (julie-gravel) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1625833 Title: Prevent open redirects as a result of workflow action Status in OpenStack Dashboard (Horizon): In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: For example: /admin/flavors/create/?next=http://www.foobar.com/ If a user is tricked into clicking that link, the flavor create workflow will be shown, but the redirect on form post will unexpectedly take the user to another site. Prevent this by checking that the next_url in WorkflowView.post is same origin. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1625833/+subscriptions From gerrit2 at review.openstack.org Mon Apr 3 18:23:21 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 03 Apr 2017 18:23:21 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/401808 Log: commit 5565811c48aa8c86a71b095475ac67e5aab843e5 Author: Adam Young Date: Thu Nov 3 20:13:07 2016 -0400 URL pattern based RBAC Management Interface A new entity in the Role backend that maps from VERB URL-Pattern to Role. I.E. from GET /v2/users to Member Beyond the backend and CRUD API for URL patterns there is also a Bulk Upload and management API. No RBAC enforcement is done in this commit, just management of the data that will be used in Keystone middleware. blueprint role-check-from-middleware SecurityImpact APIImpact Co-Authored-By: Kristi Nikolla Change-Id: I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb From 1676865 at bugs.launchpad.net Mon Apr 3 22:44:31 2017 From: 1676865 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 03 Apr 2017 22:44:31 -0000 Subject: [Openstack-security] [Bug 1676865] Change abandoned on openstack-ansible-security (master) References: <20170328125617.10482.27035.malonedeb@wampee.canonical.com> Message-ID: <20170403224431.627.76465.malone@gac.canonical.com> Change abandoned by Major Hayden (major at mhtx.net) on branch: master Review: https://review.openstack.org/450790 Reason: New patch coming. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1676865 Title: RHEL 7 STIG final version released with renumbering Status in openstack-ansible: Confirmed Bug description: The final version of the RHEL 7 STIG was recently released and the content has changed along with the numbering. The old-style numbering (RHEL-07-010040) has been replaced with the V-##### numbering standard. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1676865/+subscriptions From 1676865 at bugs.launchpad.net Mon Apr 3 22:45:50 2017 From: 1676865 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 03 Apr 2017 22:45:50 -0000 Subject: [Openstack-security] [Bug 1676865] Related fix proposed to openstack-ansible-security (master) References: <20170328125617.10482.27035.malonedeb@wampee.canonical.com> Message-ID: <20170403224551.518.16452.malone@gac.canonical.com> Related fix proposed to branch: master Review: https://review.openstack.org/452984 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1676865 Title: RHEL 7 STIG final version released with renumbering Status in openstack-ansible: Confirmed Bug description: The final version of the RHEL 7 STIG was recently released and the content has changed along with the numbering. The old-style numbering (RHEL-07-010040) has been replaced with the V-##### numbering standard. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1676865/+subscriptions From 1676865 at bugs.launchpad.net Tue Apr 4 12:22:27 2017 From: 1676865 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 04 Apr 2017 12:22:27 -0000 Subject: [Openstack-security] [Bug 1676865] Re: RHEL 7 STIG final version released with renumbering References: <20170328125617.10482.27035.malonedeb@wampee.canonical.com> Message-ID: <20170404122229.17147.77623.launchpad@soybean.canonical.com> ** Changed in: openstack-ansible Status: Confirmed => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1676865 Title: RHEL 7 STIG final version released with renumbering Status in openstack-ansible: In Progress Bug description: The final version of the RHEL 7 STIG was recently released and the content has changed along with the numbering. The old-style numbering (RHEL-07-010040) has been replaced with the V-##### numbering standard. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1676865/+subscriptions From 1676865 at bugs.launchpad.net Tue Apr 4 12:57:50 2017 From: 1676865 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 04 Apr 2017 12:57:50 -0000 Subject: [Openstack-security] [Bug 1676865] Re: RHEL 7 STIG final version released with renumbering References: <20170328125617.10482.27035.malonedeb@wampee.canonical.com> Message-ID: <20170404125750.17056.19644.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/452984 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=dccce1d5cc06985a58f0ecba4fd0d977388592b2 Submitter: Jenkins Branch: master commit dccce1d5cc06985a58f0ecba4fd0d977388592b2 Author: Major Hayden Date: Tue Apr 4 07:22:01 2017 -0500 Handle RHEL 7 STIG renumbering This patch gets the docs adjusted to work with the new RHEL 7 STIG version 1 release. The new STIG release has changed all of the numbering, but it maintains a link to (most) of the old STIG IDs in the XML. Closes-bug: 1676865 Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604 ** Changed in: openstack-ansible Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1676865 Title: RHEL 7 STIG final version released with renumbering Status in openstack-ansible: Fix Released Bug description: The final version of the RHEL 7 STIG was recently released and the content has changed along with the numbering. The old-style numbering (RHEL-07-010040) has been replaced with the V-##### numbering standard. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1676865/+subscriptions From gerrit2 at review.openstack.org Tue Apr 4 15:29:21 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 04 Apr 2017 15:29:21 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change Id2304adeb9490a630e1979bb70037ad8a2656d73 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/357151 Log: commit be5989a2c1dadfd294ab51516d4a8ac2f34576de Author: Peter Hamilton Date: Wed Mar 22 17:16:26 2017 -0400 Add support for certificate validation This spec describes changes that would allow Nova to perform certificate validation when verifying Glance image signatures. While image signing ensures that image data is obtained unmodified from Glance, it does not prevent an attacker from uploading and signing a malicious image. The addition of Nova API changes allows Nova users to control the certificates which are allowed to sign images. This spec describes work related to image verification. For more information, see: https://review.openstack.org/#/c/343654 APIImpact DocImpact SecurityImpact Change-Id: Id2304adeb9490a630e1979bb70037ad8a2656d73 From major at mhtx.net Tue Apr 4 15:57:12 2017 From: major at mhtx.net (Major Hayden) Date: Tue, 04 Apr 2017 15:57:12 -0000 Subject: [Openstack-security] [Bug 1679749] [NEW] Login banner in security role isn't configurable Message-ID: <20170404155712.9752.52177.malonedeb@wampee.canonical.com> Public bug reported: The login banner provided with the security role could be made much more configurable than it is now. ** Affects: openstack-ansible Importance: Low Assignee: Major Hayden (rackerhacker) Status: New ** Tags: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1679749 Title: Login banner in security role isn't configurable Status in openstack-ansible: New Bug description: The login banner provided with the security role could be made much more configurable than it is now. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1679749/+subscriptions From 1679749 at bugs.launchpad.net Tue Apr 4 16:40:08 2017 From: 1679749 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 04 Apr 2017 16:40:08 -0000 Subject: [Openstack-security] [Bug 1679749] Re: Login banner in security role isn't configurable References: <20170404155712.9752.52177.malonedeb@wampee.canonical.com> Message-ID: <20170404164008.17554.38503.malone@soybean.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/453256 ** Changed in: openstack-ansible Status: New => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1679749 Title: Login banner in security role isn't configurable Status in openstack-ansible: In Progress Bug description: The login banner provided with the security role could be made much more configurable than it is now. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1679749/+subscriptions From lhinds at redhat.com Tue Apr 4 16:51:55 2017 From: lhinds at redhat.com (Luke Hinds) Date: Tue, 04 Apr 2017 16:51:55 -0000 Subject: [Openstack-security] [Bug 1673085] Re: scheduler hints are unbounded and never deleted References: <20170315141937.32150.35944.malonedeb@chaenomeles.canonical.com> Message-ID: <20170404165157.25998.19938.launchpad@chaenomeles.canonical.com> ** Changed in: ossn Status: New => Won't Fix -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1673085 Title: scheduler hints are unbounded and never deleted Status in OpenStack Compute (nova): New Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: Won't Fix Bug description: I'm initially reporting this as a potential security issue but it might not be, I'm just looking for feedback from the VMT. The scheduler_hints in the compute API are stored in the request_specs.spec column in the nova_api database: https://github.com/openstack/nova/blob/15.0.1/nova/db/sqlalchemy/api_models.py#L171 There is no limit on the size of the keys or values, or number of hints, in the API: https://github.com/openstack/nova/blob/15.0.1/nova/api/openstack/compute/schemas/scheduler_hints.py#L18 There are some pre-defined hints, but additionalProperties=True in the json schema means that one can provide any hints they want. So I could boot a server with a scheduler_hints dict that has a million keys which are a million characters long. At best that just results in a 500 because the column size limit in the database rejects the json blob size. According to the mysql 5.7 docs: https://dev.mysql.com/doc/refman/5.7/en/string-type-overview.html "TEXT[(M)] [CHARACTER SET charset_name] [COLLATE collation_name] A TEXT column with a maximum length of 65,535 (216 − 1) characters. The effective maximum length is less if the value contains multibyte characters. Each TEXT value is stored using a 2-byte length prefix that indicates the number of bytes in the value." At worst, I'm able to work backward from a million until I found out the limit at which I can fill the request_specs.spec column and then just hammer the compute API, filling up the nova_api database. So there are two issues: 1. No key/value size limit in the API json schema for scheduler hints. 2. No quota limit on the number of hints one can provide (unlike quota limits on user-provided metadata key/value pairs which are limited to 255 for the key/value and 128 for the quota). Add to this the fact that we never delete request_specs entries from the nova_api database automatically (that's being worked on here: https://review.openstack.org/#/c/391060/ ). This might not be a security issue, it might just be poor API design and we can tighten things up to avoid a 500 error with quota limits and json schema validation on the key/value size on each hint, and also delete request specs when we delete an instance. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1673085/+subscriptions From gerrit2 at review.openstack.org Wed Apr 5 19:40:36 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 05 Apr 2017 19:40:36 +0000 Subject: [Openstack-security] [openstack/cursive] SecurityImpact review request change I8d7f43fb4c0573ac3681147eac213b369bbbcb3b Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/357202 Log: commit 5800adf69d6a9dabc8adf0c71c4fd2e3c58e6e59 Author: Peter Hamilton Date: Thu Aug 18 08:50:38 2016 -0400 Add certificate validation This change adds support for certificate validation, including certificate inspection utilities. Validating a certificate requires the certificate UUID of the certificate to validate, a set of UUIDs corresponding to the set of trusted certificates needed to validate the certificate, and a user context for authentication to the key manager. A new certificate verification context is included that is used to store the set of trusted certificates once they are loaded from the key manager. This context is used to validate the signing certificate, verifying that the certificate belongs to a valid certificate chain rooted in the set of trusted certificates. All new certificate utility code is added in a new module named certificate_utils. For more information on this work, see the spec: https://review.openstack.org/#/c/357151/ SecurityImpact DocImpact Change-Id: I8d7f43fb4c0573ac3681147eac213b369bbbcb3b From 1679749 at bugs.launchpad.net Thu Apr 6 13:30:38 2017 From: 1679749 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 06 Apr 2017 13:30:38 -0000 Subject: [Openstack-security] [Bug 1679749] Re: Login banner in security role isn't configurable References: <20170404155712.9752.52177.malonedeb@wampee.canonical.com> Message-ID: <20170406133038.12640.79057.malone@gac.canonical.com> Reviewed: https://review.openstack.org/453256 Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=005fa52c66544f05f8ac88e7f0a873c2d2e1cfdc Submitter: Jenkins Branch: master commit 005fa52c66544f05f8ac88e7f0a873c2d2e1cfdc Author: Major Hayden Date: Wed Apr 5 08:32:34 2017 -0500 Make login banner customizable This patch makes it easier for deployers to customize their login banner and it also fixes some documentation bugs around how to configure the graphical login banner. Closes-bug: 1679749 Change-Id: I755de63cc3965f065077c983dbf1015ad93dfa6c ** Changed in: openstack-ansible Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1679749 Title: Login banner in security role isn't configurable Status in openstack-ansible: Fix Released Bug description: The login banner provided with the security role could be made much more configurable than it is now. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1679749/+subscriptions From 1664723 at bugs.launchpad.net Thu Apr 6 14:09:05 2017 From: 1664723 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 06 Apr 2017 14:09:05 -0000 Subject: [Openstack-security] [Bug 1664723] Re: replication_slave user and passwords exposed in logging References: <20170214213337.4535.90559.malonedeb@chaenomeles.canonical.com> Message-ID: <20170406140905.31539.71847.malone@wampee.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/454204 ** Changed in: trove Status: New => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1664723 Title: replication_slave user and passwords exposed in logging Status in OpenStack Security Advisory: Won't Fix Status in OpenStack DBaaS (Trove): In Progress Bug description: Currently the passwords and usernames for trove's replciation_user in pxc and percona configuration options are exposed in the logger. Mysql already has secret=True for their configuration options. This patch extends that to all of the other database configuration options using oslo.config.cfg.Opt option secret [1]. See output below for exact logs: tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.628 DEBUG oslo_service.service [-] percona.replication_password = NETOU7897NNLOU from (pid=684) log_opt_values /usr/local/lib/python2.7 /dist-packages/oslo_config/cfg.py:2744 tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.628 DEBUG oslo_service.service [-] percona.replication_user = slave_user from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744 tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.636 DEBUG oslo_service.service [-] pxc.replication_user = slave_user from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744 References [1] http://docs.openstack.org/developer/oslo.config/cfg.html To manage notifications about this bug go to: https://bugs.launchpad.net/ossa/+bug/1664723/+subscriptions From 1663417 at bugs.launchpad.net Thu Apr 6 14:48:46 2017 From: 1663417 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 06 Apr 2017 14:48:46 -0000 Subject: [Openstack-security] [Bug 1663417] Re: Bandit issue B701:jinja2_autoescape_false References: <20170209231702.6449.93775.malonedeb@wampee.canonical.com> Message-ID: <20170406144847.1680.16602.launchpad@chaenomeles.canonical.com> ** Changed in: trove Status: New => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1663417 Title: Bandit issue B701:jinja2_autoescape_false Status in OpenStack Security Advisory: Won't Fix Status in OpenStack DBaaS (Trove): In Progress Bug description: After running bandit it found an issue of Severity and Confidence High. Test results: >> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.    Severity: High Confidence: High    Location: trove/common/utils.py:53 51 52 def build_jinja_environment(): 53 env = jinja2.Environment(loader=jinja2.ChoiceLoader([ 54 jinja2.FileSystemLoader(CONF.template_path), 55 jinja2.PackageLoader("trove", "templates") 56 ])) 57 # Add some basic operation not built-in. simply adding the argument autoescape=True to the function call will fix the issue. To manage notifications about this bug go to: https://bugs.launchpad.net/ossa/+bug/1663417/+subscriptions From 1575913 at bugs.launchpad.net Thu Apr 6 20:33:33 2017 From: 1575913 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 06 Apr 2017 20:33:33 -0000 Subject: [Openstack-security] [Bug 1575913] Re: Generate and download keypair GET endpoint allows CSRF attacks References: <20160427202224.17621.97555.malonedeb@soybean.canonical.com> Message-ID: <20170406203336.31126.51255.launchpad@wampee.canonical.com> ** Changed in: horizon Status: New => In Progress ** Changed in: horizon Assignee: (unassigned) => Gary W. Smith (gary-w-smith) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1575913 Title: Generate and download keypair GET endpoint allows CSRF attacks Status in OpenStack Dashboard (Horizon): In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: Requests to create (and download) nova keypairs are made as GETs. As such the CSRF token is not sent nor validated on these requests. This breaks the principle Django's CSRF middleware relies upon which is that requests with side effects should not cause side effects. I'm told there was a reason for doing this related to being able to send the data back to the browser, and that this may not be trivial to fix. Filing this as a security bug since a malicious site could fool a user into creating keypairs. The attacker would not gain access to the contents, so the impact is not as serious as it might seem at first glance. See https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/access_and_security/keypairs/views.py#L112 To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1575913/+subscriptions From gerrit2 at review.openstack.org Mon Apr 10 14:59:15 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 10 Apr 2017 14:59:15 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change Id2304adeb9490a630e1979bb70037ad8a2656d73 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/357151 Log: commit 79a1152bfc37dedc777f5568c9663b4d40268007 Author: Peter Hamilton Date: Wed Mar 22 17:16:26 2017 -0400 Add support for certificate validation This spec describes changes that would allow Nova to perform certificate validation when verifying Glance image signatures. While image signing ensures that image data is obtained unmodified from Glance, it does not prevent an attacker from uploading and signing a malicious image. The addition of Nova API changes allows Nova users to control the certificates which are allowed to sign images. This spec describes work related to image verification. For more information, see: https://review.openstack.org/#/c/343654 APIImpact DocImpact SecurityImpact Change-Id: Id2304adeb9490a630e1979bb70037ad8a2656d73 From gerrit2 at review.openstack.org Mon Apr 10 20:22:59 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 10 Apr 2017 20:22:59 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/401808 Log: commit 0f9198471a47a4175abc41aa24635d392374258c Author: Adam Young Date: Thu Nov 3 20:13:07 2016 -0400 URL pattern based RBAC Management Interface A new entity in the Role backend that maps from VERB URL-Pattern to Role. I.E. from GET /v2/users to Member Beyond the backend and CRUD API for URL patterns there is also a Bulk Upload and management API. No RBAC enforcement is done in this commit, just management of the data that will be used in Keystone middleware. blueprint token-verify-role-check SecurityImpact APIImpact Co-Authored-By: Kristi Nikolla Change-Id: I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb From 1674954 at bugs.launchpad.net Wed Apr 12 10:42:37 2017 From: 1674954 at bugs.launchpad.net (Amrith Kumar) Date: Wed, 12 Apr 2017 10:42:37 -0000 Subject: [Openstack-security] [Bug 1674954] Re: trove log-enable causes unnecessary file permission change References: <20170322104835.30899.5431.malonedeb@wampee.canonical.com> Message-ID: <20170412104238.12677.30585.launchpad@gac.canonical.com> ** Changed in: trove Importance: Undecided => Low -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1674954 Title: trove log-enable causes unnecessary file permission change Status in OpenStack Security Advisory: Won't Fix Status in OpenStack DBaaS (Trove): New Bug description: When log-enable called, Guestagent try to change log directory permission to readable. Unfortunately, it changes permission in recursively like below. This is security issue that allow any of OS users to read the database data files. I believe that we should fix this line. https://github.com/openstack/trove/blob/master/trove/guestagent/guest_log.py#L115 [samitani at samitani-mi02-member-2 ~]$ sudo grep 'Running cmd' /var/log/trove/guestagent.log 2017-03-22 19:21:47.070 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf /tmp/tmpoJ2r5O execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.078 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmpoJ2r5O execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.117 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/.+-([0-9]+)-.+\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.136 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf.d/50-system-001-cluster.cnf /tmp/tmp0AhUIT execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.142 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmp0AhUIT execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.153 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/lib/mysql/data/pxc-general.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.177 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/lib/mysql/data/pxc-general.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.183 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/log/mysqld.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.190 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/log/mysqld.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.196 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/lib/mysql/data/pxc-slow_query.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.202 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/lib/mysql/data/pxc-slow_query.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.209 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/lib/mysql/data/pxc-general.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.216 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/lib/mysql/data/pxc-general.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.222 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/log/mysqld.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.228 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/log/mysqld.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.235 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/lib/mysql/data/pxc-slow_query.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:21:47.241 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/lib/mysql/data/pxc-slow_query.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.743 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +055 /var/lib/mysql/data execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.760 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +055 /var/lib/mysql/data execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.769 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +055 /var/log/trove execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.777 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +055 /var/log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.846 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/50-system-([0-9]+)-disable_general_log\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.853 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf /tmp/tmpNUmZt6 execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.860 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmpNUmZt6 execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.883 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/.+-([0-9]+)-.+\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.890 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf.d/50-system-001-cluster.cnf /tmp/tmp7MujEH execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.897 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmp7MujEH execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.905 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/50-system-([0-9]+)-enable_general_log\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.912 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/50-system-([0-9]+)-.+\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.920 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /tmp/tmpTVRVmR /etc/my.cnf.d/50-system-002-enable_general_log.cnf execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.926 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /etc/my.cnf.d/50-system-002-enable_general_log.cnf execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.932 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /etc/my.cnf.d/50-system-002-enable_general_log.cnf execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.939 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf /tmp/tmpCzeJfw execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.945 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmpCzeJfw execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.988 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/.+-([0-9]+)-.+\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:08.995 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf.d/50-system-001-cluster.cnf /tmp/tmp7O4zdM execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:09.002 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmp7O4zdM execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:09.010 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf.d/50-system-002-enable_general_log.cnf /tmp/tmp_Kw0Ju execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:09.016 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmp_Kw0Ju execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 2017-03-22 19:22:47.599 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): /usr/bin/mysqladmin ping execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326 To manage notifications about this bug go to: https://bugs.launchpad.net/ossa/+bug/1674954/+subscriptions From gerrit2 at review.openstack.org Wed Apr 12 17:52:36 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 12 Apr 2017 17:52:36 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/401808 Log: commit 2c0878f6baed78156c841c19b6121f001d2698c9 Author: Adam Young Date: Thu Nov 3 20:13:07 2016 -0400 Route based RBAC Management Interface A new entity in the Role backend that maps from VERB + Path to Role. I.E. from GET /v2/users to Member Beyond the backend and CRUD API for Routes there is also a Bulk Upload and management API. No RBAC enforcement is done in this commit, just management of the data that will be used in Keystone middleware. blueprint token-verify-role-check SecurityImpact APIImpact Co-Authored-By: Kristi Nikolla Change-Id: I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb From 1679749 at bugs.launchpad.net Wed Apr 12 18:39:30 2017 From: 1679749 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 12 Apr 2017 18:39:30 -0000 Subject: [Openstack-security] [Bug 1679749] Fix included in openstack/openstack-ansible-security 16.0.0.0b1 References: <20170404155712.9752.52177.malonedeb@wampee.canonical.com> Message-ID: <20170412183930.30667.1747.malone@soybean.canonical.com> This issue was fixed in the openstack/openstack-ansible-security 16.0.0.0b1 development milestone. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1679749 Title: Login banner in security role isn't configurable Status in openstack-ansible: Fix Released Bug description: The login banner provided with the security role could be made much more configurable than it is now. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1679749/+subscriptions From 1676865 at bugs.launchpad.net Wed Apr 12 18:39:36 2017 From: 1676865 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 12 Apr 2017 18:39:36 -0000 Subject: [Openstack-security] [Bug 1676865] Fix included in openstack/openstack-ansible-security 16.0.0.0b1 References: <20170328125617.10482.27035.malonedeb@wampee.canonical.com> Message-ID: <20170412183936.12572.98625.malone@gac.canonical.com> This issue was fixed in the openstack/openstack-ansible-security 16.0.0.0b1 development milestone. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1676865 Title: RHEL 7 STIG final version released with renumbering Status in openstack-ansible: Fix Released Bug description: The final version of the RHEL 7 STIG was recently released and the content has changed along with the numbering. The old-style numbering (RHEL-07-010040) has been replaced with the V-##### numbering standard. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1676865/+subscriptions From gerrit2 at review.openstack.org Wed Apr 12 20:56:47 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 12 Apr 2017 20:56:47 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change Id2304adeb9490a630e1979bb70037ad8a2656d73 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/357151 Log: commit 0f1f9d690c316d8a48cea81655732d2911906c44 Author: Peter Hamilton Date: Wed Mar 22 17:16:26 2017 -0400 Add support for certificate validation This spec describes changes that would allow Nova to perform certificate validation when verifying Glance image signatures. While image signing ensures that image data is obtained unmodified from Glance, it does not prevent an attacker from uploading and signing a malicious image. The addition of Nova API changes allows Nova users to control the certificates which are allowed to sign images. This spec describes work related to image verification. For more information, see: https://review.openstack.org/#/c/343654 APIImpact DocImpact SecurityImpact Change-Id: Id2304adeb9490a630e1979bb70037ad8a2656d73 From gerrit2 at review.openstack.org Wed Apr 12 21:45:38 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 12 Apr 2017 21:45:38 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/401808 Log: commit 2255d13a45ee4b338f27c23dc90ca9ce11ad0752 Author: Adam Young Date: Thu Nov 3 20:13:07 2016 -0400 Route based RBAC Management Interface A new entity in the Role backend that maps from VERB + Path to Role. I.E. from GET /v2/users to Member Beyond the backend and CRUD API for Routes there is also a Bulk Upload and management API. No RBAC enforcement is done in this commit, just management of the data that will be used in Keystone middleware. blueprint token-verify-role-check SecurityImpact APIImpact Co-Authored-By: Kristi Nikolla Change-Id: I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb From gerrit2 at review.openstack.org Thu Apr 13 12:20:37 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Thu, 13 Apr 2017 12:20:37 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/401808 Log: commit 9fb8153af478656f1ac0f5259735d78f2f9b81c9 Author: Adam Young Date: Thu Nov 3 20:13:07 2016 -0400 Route based RBAC Management Interface A new entity in the Role backend that maps from VERB + Path to Role. I.E. from GET /v2/users to Member Beyond the backend and CRUD API for Routes there is also a Bulk Upload and management API. No RBAC enforcement is done in this commit, just management of the data that will be used in Keystone middleware. blueprint token-verify-role-check SecurityImpact APIImpact Co-Authored-By: Kristi Nikolla Change-Id: I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb From gerrit2 at review.openstack.org Fri Apr 14 13:51:53 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Fri, 14 Apr 2017 13:51:53 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change I6850e6ad0fa5d075815b21e6116d2cf3f7949071 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/386756 Log: commit 6525ded466b50f4230b4c7b4b9cb820ab15c9933 Author: Chris Date: Fri Oct 14 14:41:15 2016 -0500 Change soft delete resources to prevent DOS Right now enabling soft delete opens up a potential DOS on compute hosts. This is because soft delete releases the instance's resources until the '_reclaim_queued_deletes' function runs. This could allow a user to exhaust all resources before they have actually been released from the host. This patch changes the functionality of soft-deletes to not release the resources (quotas) of the deleted instance on the host machine until the soft-deleted instances have been reclaimed. Change-Id: I6850e6ad0fa5d075815b21e6116d2cf3f7949071 Closes-Bug: 1501808 SecurityImpact From 1501808 at bugs.launchpad.net Fri Apr 14 13:51:48 2017 From: 1501808 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 14 Apr 2017 13:51:48 -0000 Subject: [Openstack-security] [Bug 1501808] Re: Enabling soft-deletes opens a DOS on compute hosts References: <20151001152652.22834.78736.malonedeb@gac.canonical.com> Message-ID: <20170414135150.17219.95587.launchpad@gac.canonical.com> ** Changed in: nova Assignee: Chris Martin (cm876n) => Matt Riedemann (mriedem) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1501808 Title: Enabling soft-deletes opens a DOS on compute hosts Status in OpenStack Compute (nova): In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: If the user sets reclaim_instance_interval to anything other than 0, then when a user requests an instance delete, it will instead be soft deleted. Soft delete explicitly releases the user's quota, but does not release the instance's resources until period task _reclaim_queued_deletes runs with a period of reclaim_instance_interval seconds. A malicious authenticated user can repeatedly create and delete instances without limit, which will consume resources on the host without consuming their quota. If done quickly enough, this will exhaust host resources. I'm not entirely sure what to suggest in remediation, as this seems to be a deliberate design. The most obvious fix would be to not release quota until the instance is reaped, but that would be a significant change in behaviour. This is very similar to https://bugs.launchpad.net/bugs/cve/2015-3280 , except that we do it deliberately. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1501808/+subscriptions From gerrit2 at review.openstack.org Mon Apr 17 14:30:25 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 17 Apr 2017 14:30:25 +0000 Subject: [Openstack-security] [openstack/cursive] SecurityImpact review request change I8d7f43fb4c0573ac3681147eac213b369bbbcb3b Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/357202 Log: commit d7a47354be61ea15ac051e92fc04c545eca51e5e Author: Peter Hamilton Date: Thu Aug 18 08:50:38 2016 -0400 Add certificate validation This change adds support for certificate validation, including certificate inspection utilities. Validating a certificate requires the certificate UUID of the certificate to validate, a set of UUIDs corresponding to the set of trusted certificates needed to validate the certificate, and a user context for authentication to the key manager. A new certificate verification context is included that is used to store the set of trusted certificates once they are loaded from the key manager. This context is used to validate the signing certificate, verifying that the certificate belongs to a valid certificate chain rooted in the set of trusted certificates. All new certificate utility code is added in a new module named certificate_utils. For more information on this work, see the spec: https://review.openstack.org/#/c/357151/ SecurityImpact DocImpact Change-Id: I8d7f43fb4c0573ac3681147eac213b369bbbcb3b From gerrit2 at review.openstack.org Mon Apr 17 15:09:13 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 17 Apr 2017 15:09:13 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/401808 Log: commit 3da20e58fa40f9dbbccce67b92c41732120b4262 Author: Adam Young Date: Thu Nov 3 20:13:07 2016 -0400 Route based RBAC Management Interface A new entity in the Role backend that maps from VERB + Path to Role. I.E. from GET /v2/users to Member Beyond the backend and CRUD API for Routes there is also a Bulk Upload and management API. No RBAC enforcement is done in this commit, just management of the data that will be used in Keystone middleware. blueprint token-verify-role-check SecurityImpact APIImpact Co-Authored-By: Kristi Nikolla Change-Id: I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb From gerrit2 at review.openstack.org Mon Apr 17 15:11:24 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 17 Apr 2017 15:11:24 +0000 Subject: [Openstack-security] [openstack/cursive] SecurityImpact review request change I8d7f43fb4c0573ac3681147eac213b369bbbcb3b Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/357202 Log: commit c56249dcd130bc9d389be97aacfc5f2cd5daf04d Author: Peter Hamilton Date: Thu Aug 18 08:50:38 2016 -0400 Add certificate validation This change adds support for certificate validation, including certificate inspection utilities. Validating a certificate requires the certificate UUID of the certificate to validate, a set of UUIDs corresponding to the set of trusted certificates needed to validate the certificate, and a user context for authentication to the key manager. A new certificate verification context is included that is used to store the set of trusted certificates once they are loaded from the key manager. This context is used to validate the signing certificate, verifying that the certificate belongs to a valid certificate chain rooted in the set of trusted certificates. All new certificate utility code is added in a new module named certificate_utils. For more information on this work, see the spec: https://review.openstack.org/#/c/357151/ SecurityImpact DocImpact Change-Id: I8d7f43fb4c0573ac3681147eac213b369bbbcb3b From 1663417 at bugs.launchpad.net Tue Apr 18 09:38:10 2017 From: 1663417 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 18 Apr 2017 09:38:10 -0000 Subject: [Openstack-security] [Bug 1663417] Re: Bandit issue B701:jinja2_autoescape_false References: <20170209231702.6449.93775.malonedeb@wampee.canonical.com> Message-ID: <20170418093810.17510.10272.malone@gac.canonical.com> Reviewed: https://review.openstack.org/454204 Committed: https://git.openstack.org/cgit/openstack/trove/commit/?id=a173923ed534b114ad6c09af7ba2c72921200a3b Submitter: Jenkins Branch: master commit a173923ed534b114ad6c09af7ba2c72921200a3b Author: Trevor McCasland Date: Thu Apr 6 09:03:10 2017 -0500 Add jinja2 autoescape=True For avoiding XSS vulnerabilities, bandit suggests to set autoescape=True. After this change the bandit issues no longer appears. Change-Id: Ic47dadef49b4504b3bcfbdc63ea85c937aabf334 Closes-Bug: #1663417 ** Changed in: trove Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1663417 Title: Bandit issue B701:jinja2_autoescape_false Status in OpenStack Security Advisory: Won't Fix Status in OpenStack DBaaS (Trove): Fix Released Bug description: After running bandit it found an issue of Severity and Confidence High. Test results: >> Issue: [B701:jinja2_autoescape_false] By default, jinja2 sets autoescape to False. Consider using autoescape=True to mitigate XSS vulnerabilities.    Severity: High Confidence: High    Location: trove/common/utils.py:53 51 52 def build_jinja_environment(): 53 env = jinja2.Environment(loader=jinja2.ChoiceLoader([ 54 jinja2.FileSystemLoader(CONF.template_path), 55 jinja2.PackageLoader("trove", "templates") 56 ])) 57 # Add some basic operation not built-in. simply adding the argument autoescape=True to the function call will fix the issue. To manage notifications about this bug go to: https://bugs.launchpad.net/ossa/+bug/1663417/+subscriptions From gerrit2 at review.openstack.org Tue Apr 18 11:54:19 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 18 Apr 2017 11:54:19 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/401808 Log: commit 71cf7a37a73b1008f5e9139a38b28d043e4a406d Author: Adam Young Date: Thu Nov 3 20:13:07 2016 -0400 Route based RBAC Management Interface A new entity in the Role backend that maps from for a given service map from VERB + Path to Role. identity GET /v2/users requires `Member` No RBAC enforcement is done in this commit, just management of the data that will be used in Keystone middleware. blueprint token-verify-role-check SecurityImpact APIImpact Co-Authored-By: Kristi Nikolla Change-Id: I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb From gerrit2 at review.openstack.org Wed Apr 19 12:20:13 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 19 Apr 2017 12:20:13 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I63234ea8cbff639bdc9b4e9772c474b40a8a89d5 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/458047 Log: commit 155f474840dcf5231e3491b35c2a97adce196f12 Author: Adam Young Date: Thu Nov 3 20:13:07 2016 -0400 Route based RBAC Management Bulk API Munges the roles, implied roles, and routes data into a single, fetchable API No RBAC enforcement is done in this commit. blueprint token-verify-role-check SecurityImpact APIImpact Change-Id: I63234ea8cbff639bdc9b4e9772c474b40a8a89d5 Co-Authored-By: Kristi Nikolla From gerrit2 at review.openstack.org Wed Apr 19 18:35:06 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 19 Apr 2017 18:35:06 +0000 Subject: [Openstack-security] [openstack/cursive] SecurityImpact review request change I8d7f43fb4c0573ac3681147eac213b369bbbcb3b Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/357202 Log: commit d5cbb23279402b6483ab2f5d0070de7f8fd8fa40 Author: Peter Hamilton Date: Thu Aug 18 08:50:38 2016 -0400 Add certificate validation This change adds support for certificate validation, including certificate inspection utilities. Validating a certificate requires the certificate UUID of the certificate to validate, a set of UUIDs corresponding to the set of trusted certificates needed to validate the certificate, and a user context for authentication to the key manager. A new certificate verification context is included that is used to store the set of trusted certificates once they are loaded from the key manager. This context is used to validate the signing certificate, verifying that the certificate belongs to a valid certificate chain rooted in the set of trusted certificates. All new certificate utility code is added in a new module named certificate_utils. For more information on this work, see the spec: https://review.openstack.org/#/c/357151/ SecurityImpact DocImpact Change-Id: I8d7f43fb4c0573ac3681147eac213b369bbbcb3b From major at mhtx.net Tue Apr 25 14:32:29 2017 From: major at mhtx.net (Major Hayden) Date: Tue, 25 Apr 2017 14:32:29 -0000 Subject: [Openstack-security] [Bug 1686110] [NEW] AIDE configuration is set AFTER the initial run Message-ID: <20170425143229.16670.26982.malonedeb@wampee.canonical.com> Public bug reported: The "Configure AIDE to verify additional properties" task runs *after* the tasks which do the AIDE initialization. This isn't a problem on CentOS since the default properties meet the STIG requirements, but it does affect Ubuntu. The result is that Ubuntu users may see a huge AIDE update upon their second AIDE run. ** Affects: openstack-ansible Importance: Low Assignee: Major Hayden (rackerhacker) Status: In Progress ** Tags: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1686110 Title: AIDE configuration is set AFTER the initial run Status in openstack-ansible: In Progress Bug description: The "Configure AIDE to verify additional properties" task runs *after* the tasks which do the AIDE initialization. This isn't a problem on CentOS since the default properties meet the STIG requirements, but it does affect Ubuntu. The result is that Ubuntu users may see a huge AIDE update upon their second AIDE run. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1686110/+subscriptions From 1686110 at bugs.launchpad.net Tue Apr 25 14:35:49 2017 From: 1686110 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 25 Apr 2017 14:35:49 -0000 Subject: [Openstack-security] [Bug 1686110] Re: AIDE configuration is set AFTER the initial run References: <20170425143229.16670.26982.malonedeb@wampee.canonical.com> Message-ID: <20170425143549.5908.93844.malone@chaenomeles.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/459719 ** Changed in: openstack-ansible Status: New => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1686110 Title: AIDE configuration is set AFTER the initial run Status in openstack-ansible: In Progress Bug description: The "Configure AIDE to verify additional properties" task runs *after* the tasks which do the AIDE initialization. This isn't a problem on CentOS since the default properties meet the STIG requirements, but it does affect Ubuntu. The result is that Ubuntu users may see a huge AIDE update upon their second AIDE run. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1686110/+subscriptions From dklyle0 at gmail.com Wed Apr 26 22:32:52 2017 From: dklyle0 at gmail.com (David Lyle) Date: Wed, 26 Apr 2017 22:32:52 -0000 Subject: [Openstack-security] [Bug 1625833] Re: Prevent open redirects as a result of workflow action References: <20160920214728.9448.43144.malonedeb@chaenomeles.canonical.com> Message-ID: <20170426223252.23010.45857.malone@wampee.canonical.com> I'm really having a tough time seeing the threat here. And I can see beneficial uses of this in a case where a secondary UI may be linking to workflows in Horizon. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1625833 Title: Prevent open redirects as a result of workflow action Status in OpenStack Dashboard (Horizon): In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: For example: /admin/flavors/create/?next=http://www.foobar.com/ If a user is tricked into clicking that link, the flavor create workflow will be shown, but the redirect on form post will unexpectedly take the user to another site. Prevent this by checking that the next_url in WorkflowView.post is same origin. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1625833/+subscriptions From gerrit2 at review.openstack.org Thu Apr 27 11:22:30 2017 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Thu, 27 Apr 2017 11:22:30 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/401808 Log: commit 5ae0b575a65895f096425969c9072a69844c2843 Author: Adam Young Date: Thu Nov 3 20:13:07 2016 -0400 Route based RBAC Management Interface A new entity in the Role backend that maps from VERB + Path to Role. I.E. from GET /v2/users to Member Beyond the backend and CRUD API for Routes there is also a Bulk Upload and management API. No RBAC enforcement is done in this commit, just management of the data that will be used in Keystone middleware. blueprint token-verify-role-check SecurityImpact APIImpact Co-Authored-By: Kristi Nikolla Change-Id: I4cc3fd9e0958c3f7fda83ad696807a7c8f63cecb