September 2012 - OpenStack-announce

[OSSA 2012-015] Some actions in Keystone admin API do not validate token (CVE-2012-4456)
by Russell Bryant 28 Sep '12

28 Sep '12

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenStack Security Advisory: 2012-015 CVE: CVE-2012-4456 Date: September 28, 2012 Title: Some actions in Keystone admin API do not validate token Impact: High Reporter: Jason Xu Products: Keystone Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2 development milestone) Description: Jaxon Xu reported a vulnerability in Keystone. Two admin API actions did not require a valid token. The first was listing roles for a user. The second was the ability to get, create, and delete services. Folom Fixes: (Included in 2012.2) http://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb… http://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147… Essex Fixes: (Included in 2012.1.2) http://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c… http://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a… References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4456 https://bugs.launchpad.net/keystone/+bug/1006815 https://bugs.launchpad.net/keystone/+bug/1006822 - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBmDcYACgkQFg9ft4s9SAam7wCgpJ6b7dcF/vZab3zTcNr0V84u k2QAnAzwGx0H69iw6gVQApaCnd9V1lQk =xR0F -----END PGP SIGNATURE-----

1 0

[OSSA 2012-016] Token authorization for a user in a disabled tenant is allowed (CVE-2012-4457)
by Russell Bryant 28 Sep '12

28 Sep '12

OpenStack Security Advisory: 2012-016 CVE: CVE-2012-4457 Date: September 28, 2012 Title: Token authorization for a user in a disabled tenant is allowed Impact: High Reporter: Rohit Karajgi (NTT Data) Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-3 development milestone) Description: Rohit Karajgi reported a vulnerability in Keystone. It was possible to get a token that is authorized for a disabled tenant. Once the token is established with authorization on the tenant, keystone would respond 200 OK to token validation requests from other OpenStack services, allowing the user to work with the tenant's resources. Folsom fix: (Included in 2012.2) http://github.com/openstack/keystone/commit/4ebfdfaf23c6da8e3c182bf3ec2cb2b… Essex fix: (Included in 2012.1.2) http://github.com/openstack/keystone/commit/5373601bbdda10f879c08af16988521… References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4457 https://bugs.launchpad.net/keystone/+bug/988920 -- Russell Bryant OpenStack Vulnerability Management Team

1 0

OpenStack Community Weekly Newsletter (Sep 21-28)
by Stefano Maffulli 28 Sep '12

28 Sep '12

Highlights of the week OpenStack Folsom Is Here With The Schedule Of The Summit <http://www.openstack.org/blog/2012/09/openstack-folsom-is-here-with-the-sch…> Another release for OpenStack today, the sixth in a little over two years. Folsom, or 2012.2 has two new services Networking (Quantum) and Block Storage (Cinder) services, architected in line with the OpenStack philosophy of pluggability and extensibility. While work was underway to establish the new OpenStack Foundation, our thriving community once again delivered the release on-time and with all planned essential features. The full announcement with links to the release notes on OpenStack 2012.2 ("Folsom") released! <http://markmail.org/message/vanmu7ahkvmnxfln> Direct download links on http://bit.ly/openstackfolsom Published the Agenda for the OpenStack Summit <http://www.openstack.org/blog/2012/09/openstack-folsom-is-here-with-the-sch…> The schedule for the OpenStack Summit has been published <http://www.openstack.org/blog/feed/openstacksummitfall2012.sched.org>: take advantage of the discount until the end of September (save $200 <http://openstacksummitfall2012.eventbrite.com/>) on the registration fee and come meet this amazing OpenStack community live in San Diego. Technical Committee elections results, Fall 2012 <http://markmail.org/message/653zs7ihk3hwj5ec> The OpenStack TC election period is now over. The winners <http://www.cs.cornell.edu/w8/%7Eandru/cgi-perl/civs/results.pl?id=E_019fda1…> for the 3 remaining seats on the Technical Committee <http://wiki.openstack.org/Governance/TechnicalCommittee> are: Monty Taylor, Anne Gentle, Russell Bryant. They are elected for a one-year term, and join the already-elected members: Vish Ishaya, John Dickinson, Brian Waldon, Joe Heck, Gabriel Hurley, Dan Wendlandt, John Griffith, Mark McLoughlin, Jay Pipes and Thierry Carrez. OpenStack Folsom Architecture <http://ken.pepple.info/openstack/2012/09/25/openstack-folsom-architecture/> Ken Pepple /updated his "Intro to OpenStack Architecture 101? for the official documentation. Read the /*expanded*/version of it on his blog./ Providing a Unified View of OpenStack Projects <http://www.openstack.org/blog/2012/09/providing-a-unified-view-of-openstack…> Wan to find answers to questions like: who's contributing to that particular feature of OpenStack? What is that developer working on? How many work hours/lines of code went into adding that feature/blueprint? What are users saying about OpenStack? Register here <http://openstack.enterthemeeting.com/m/1GQI39PC> for the webinar and don't miss the talk on Wednesday, October 17 in San Diego <http://openstacksummitfall2012.sched.org/event/a5194145c6d2667d3e9d83a5d012…>. The Top 3 New Swift Features in OpenStack Folsom <http://swiftstack.com/blog/2012/09/27/top-three-swift-features-in-openstack…> There has been a ton of activity in and around Swift throughout the Folsom release cycle. Swift has moved from version 1.4.8 in the Essex release to version 1.7.4 in the Folsom release. Some of the new features added in the Folsom release include the integration of Keystone middleware, the separation of the Swift CLI and client library so Glance can more easily integrate with Swift to store Nova images. Swift has also added many new features to its core storage engine. Find out about it from SwiftStack Team. From nova-network to quantum <http://sebastien-han.fr/blog/2012/09/25/from-nova-network-to-quantum/> If you wonder what changed in OpenStack Networking with the release of Folsom, this is the article to read. By Sébastien Han <http://sebastien-han.fr/> and Emilien Macchi <http://my1.fr/>. Quantum plugin comparison <http://sebastien-han.fr/blog/2012/09/28/quantum-plugin-comparison/> Folsom has been released, it's probably time for some of you to deploy OpenStack. This is a follow up to the article titled From nova-network to Quantum <http://www.sebastien-han.fr/blog/2012/09/25/from-nova-network-to-quantum/>. One of the main question with Folsom is: which Quantum plugin should I use? The answer could be in this article! Another article co-written with Emilien Macchi <http://my1.fr/>. Deep dive into the available plugins in Quantum for OpenStack Folsom. Tips and tricks * By Grid Dynamics: OpenStack Team <http://openstackgd.wordpress.com/>: Overcoming YUM Repository Limit <http://openstackgd.wordpress.com/2012/09/27/373/> * By Sandy Walsh <http://www.sandywalsh.com/2012/09/openstack-nova-internals-pt2-services.html>: a fairly detailed treaty on OpenStack Nova Internals -- pt2 -- Services <http://www.sandywalsh.com/2012/09/openstack-nova-internals-pt2-services.html> Upcoming Events * Help needed to organize the OpenStack devroom for *FOSDEM* 2013 <http://markmail.org/message/7ridfk4vgilz7slj> * OpenStack China Tour #2 <http://hui.csdn.net/MeetingInfo.aspx?MID=135> Sep 22, 2012 -- Shenzen, China Details <http://hui.csdn.net/MeetingInfo.aspx?MID=135> * Puppet Master Pulls Deployment Strings with Ease <http://www.meetup.com/OpenStack-LA/events/79142862/> Sep 27, 2012 -- Los Angeles, CA Details <http://www.meetup.com/OpenStack-LA/events/79142862/> * PyCon India 2012 <http://in.pycon.org/2012/funnel/pyconindia2012/48-openstack-open-source-sof…>, Sept 28-30 -- Bangalore, India, Details <http://in.pycon.org/2012/funnel/pyconindia2012/48-openstack-open-source-sof…> * OpenStack Summit <http://openstack.org/> Oct 15 -- 18, 2012 -- San Diego, CA Other news * What's up doc? September 26 2012 <http://markmail.org/message/mp7sczuoee2hvwce> * OpenStack Project Meeting 2012-09-25: Summary <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-09-25-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-09-25-21.…>. Chart of the week Lots more charts are available on Bitergia's report on Folsom <http://bitergia.com/public/reports/openstack/2012_09_folsom/index.html> and Mark McLoughlin <http://openstack.markmail.org/search/list:net%2Elaunchpad%2Elists%2Eopensta…> (spelled right this time) github tree <https://github.com/markmc/openstack-gitdm/tree/results/folsom>. <http://www.openstack.org/blog/wp-content/uploads/2012/09/distrib_companies_…> Folsom contributors ecosystem /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

Technical Committee elections results, Fall 2012
by Thierry Carrez 28 Sep '12

28 Sep '12

The OpenStack TC election period is now over. The winners for the 3 remaining seats on the Technical Committee are: * Monty Taylor * Anne Gentle * Russell Bryant They are elected for a one-year term, and join the already-elected members: Vish Ishaya, John Dickinson, Brian Waldon, Joe Heck, Gabriel Hurley, Dan Wendlandt, John Griffith, Mark McLoughlin, Jay Pipes and Thierry Carrez. You can see detailed election results at: http://www.cs.cornell.edu/w8/~andru/cgi-perl/civs/results.pl?id=E_019fda1f0… The Technical Committee lives at: http://wiki.openstack.org/Governance/TechnicalCommittee -- Thierry Carrez (ttx) Election official

1 0

OpenStack 2012.2 ("Folsom") released !
by Thierry Carrez 27 Sep '12

27 Sep '12

Hello everyone, It is my great pleasure to announce the immediate release of OpenStack 2012.2, codenamed "Folsom". This release includes two new services: OpenStack Networking ("Quantum") and OpenStack Block Storage ("Cinder"). You can find source tarballs for each component, together with lists of features and bugfixes introduced during this 6-month development cycle, at: OpenStack Compute: https://launchpad.net/nova/folsom/2012.2 OpenStack Object Storage: https://launchpad.net/swift/folsom/1.7.4 OpenStack Image Service: https://launchpad.net/glance/folsom/2012.2 OpenStack Networking: https://launchpad.net/quantum/folsom/2012.2 OpenStack Block Storage: https://launchpad.net/cinder/folsom/2012.2 OpenStack Identity: https://launchpad.net/keystone/folsom/2012.2 OpenStack Dashboard: https://launchpad.net/horizon/folsom/2012.2 You're strongly encouraged to read the Release Notes, available at: http://wiki.openstack.org/ReleaseNotes/Folsom We hope you will enjoy this release as much as we have enjoyed creating it. -- Thierry Carrez (ttx) Release Manager, OpenStack

1 0

OpenStack Object Storage ("Swift") 1.7.4 released
by Thierry Carrez 26 Sep '12

26 Sep '12

Hi everyone, A memory leak was discovered in Swift 1.7.2, prompting a last-minute new release for inclusion in the common Folsom OpenStack release tomorrow: https://launchpad.net/swift/folsom/1.7.4 This should (really) be the last release of Swift in the Folsom series, and that version shall be included in the common OpenStack "Folsom" release tomorrow. Regards, -- Thierry Carrez (ttx) Release Manager, OpenStack

1 0

OpenStack Community Weekly Newsletter (Sep 14-21)
by Stefano Maffulli 22 Sep '12

22 Sep '12

Highlights of the week The OpenStack Foundation is here <http://www.openstack.org/foundation/> If you haven't heard the news, the Foundation is fully operationally now and it's hiring <http://www.openstack.org/community/jobs/?foundation=1>, too. We celebrated globally with many of the OpenStack User Groups around the world (some pictures are in OpenStack flickr group <http://www.flickr.com/groups/1574695@N22/>). What's new in OpenStack Folsom ? <http://my1.fr/blog/whats-new-in-openstack-folsom/?utm_source=rss&utm_medium…> Emilien Macchi <http://my1.fr/blog> wrote a summary of what's coming in OpenStack Folsom. Getting ready for the OpenStack F release. What's Up Doc? September 19 2012 <https://lists.launchpad.net/openstack/msg16869.html> Report from Docs land: still over 100 doc bugs, 18 targeted for folsom, 11 of those 18 do not have assignees. New docs landing pages from https://review.openstack.org/#/c/11232/ should land this week or next prior to the release date. OpenStack Governance Elections: Technical Committee <http://www.openstack.org/blog/2012/09/openstack-governance-elections-techni…> The OpenStack community is called to elect the last 3 members of the OpenStack Technical Committee <http://wiki.openstack.org/Governance/Foundation/TechnicalCommittee>. Per section 4.1(b) of the OpenStack Foundation bylaws <http://wiki.openstack.org/Governance/Foundation/Bylaws>, the Technical Committee ("TC") is a technical meritocracy managing all the technical matters relating to OpenStack. It replaces the "Project Policy Board" from the old governance. We have 11 candidates and the election process started. If you're a qualified voter <https://lists.launchpad.net/openstack/msg16849.html> you have received an email with instructions on how to vote. Check your spam folders if you haven't received any communication . Trystack latest status update <https://lists.launchpad.net/openstack/msg16895.html> The team is taking small steps to get the TryStack experience back on track. Nachi Ueno would like assistance with deploying Compute, Image, and Identity on TryStack. Contact him to help. Great opportunity to get some ops chops! OpenStack China Tour Launches from Beijing <http://www.openstack.org/blog/2012/09/openstack-china-tour-beijing/> On September 16, /OpenStack China Tour /began its trip from Beijing. It is a series of OpenStack meetups organized by COSUG and CSDN in some Chinese major cities(Beijing, Shenzhen, Chengdu, Wuhan and Xi'an) in turn. A Globally Distributed OpenStack Swift Cluster <http://swiftstack.com/blog/2012/09/16/globally-distributed-openstack-swift-…> SwifStack team is working towards evolving Swift into a single cluster can be distributed over multiple, geographically dispersed sites, joined via high-latency network connections. Tips and tricks * By Sébastien Han <http://sebastien-han.fr/>: Openstack: play with quota <http://sebastien-han.fr/blog/2012/09/19/openstack-play-with-quota/> * By Emilien Macchi <http://my1.fr/blog> : Running an OpenFlow Network with OpenStack Quantum & Floodlight <http://my1.fr/blog/running-an-openflow-network-with-openstack-quantum-flood…> * By Yong Sheng Gong <http://pipes.yahoo.com/pipes/pipe.info?_id=bb3905a64a08b9d8167502028410a1e8>: Quantum Folsom <https://www.ibm.com/developerworks/mydeveloperworks/blogs/e93514d3-c4f0-4aa…> Upcoming Events * Help needed to organize the OpenStack devroom for *FOSDEM* 2013 <http://markmail.org/message/7ridfk4vgilz7slj> * OpenStack China Tour #2 <http://hui.csdn.net/MeetingInfo.aspx?MID=135> Sep 22, 2012 -- Shenzen, China Details <http://hui.csdn.net/MeetingInfo.aspx?MID=135> * Puppet Master Pulls Deployment Strings with Ease <http://www.meetup.com/OpenStack-LA/events/79142862/> Sep 27, 2012 -- Los Angeles, CA Details <http://www.meetup.com/OpenStack-LA/events/79142862/> * PyCon India 2012 <http://in.pycon.org/2012/funnel/pyconindia2012/48-openstack-open-source-sof…>, Sept 28-30 -- Bangalore, India, Details <http://in.pycon.org/2012/funnel/pyconindia2012/48-openstack-open-source-sof…> * OpenStack Summit <http://openstack.org/> Oct 15 -- 18, 2012 -- San Diego, CA Other news * OpenStack Folsom RC1 is here * OpenStack Project Meeting 2012-09-18: Summary <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-09-18-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-09-18-21.…> Welcome new contributors Celebrating the first patches submitted this week by: * Nikola Dipanov, RedHat.com * Arathi, Persistent * Ripal Nathuji, Calxeda.com * Vijaya-erukala, Persistent * Newptone, Sina * Lapgoon Silly entertainment of the week: openSUSE community welcomes OpenStack Foundation /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

OpenStack Object Storage ("Swift") 1.7.2 released
by Thierry Carrez 20 Sep '12

20 Sep '12

Hi everyone, A Folsom release-critical bug was discovered in Swift 1.7.0, prompting a new release for inclusion in the common OpenStack release next week: https://launchpad.net/swift/folsom/1.7.2 Unless some (new) critical issue is uncovered, this should be the last release of Swift in the Folsom series, and that version shall be included in the common OpenStack "Folsom" release on September 27. Regards, -- Thierry Carrez (ttx) Release Manager, OpenStack

1 0

OpenStack Community Weekly Newsletter (Sep 7-14)
by Stefano Maffulli 14 Sep '12

14 Sep '12

Highlights of the week OpenStack Summit: Vote for Speakers <http://www.openstack.org/blog/2012/09/openstack-summit-vote-for-speakers/> We've gotten a lot of great speaking submissions, and would like your help shaping the agenda for the next OpenStack Summit, October 15-18, in San Diego. We've made the submissions public for your input, and you have until Thursday, September 13, to vote <http://openstack.org/summit/san-diego-2012/vote-for-speakers/> up your favorites. Please note you need to be an Individual Member of the OpenStack Foundation in order to access the voting system. OpenStack Governance Elections: Technical Committee <http://www.openstack.org/blog/2012/09/openstack-governance-elections-techni…> Now that we have elected the Project Technical Leads for the next release, the OpenStack community is called to elect the last 3 members of the OpenStack Technical Committee <http://wiki.openstack.org/Governance/Foundation/TechnicalCommittee>. Per section 4.1(b) of the OpenStack Foundation bylaws <http://wiki.openstack.org/Governance/Foundation/Bylaws>, the Technical Committee ("TC") is a technical meritocracy managing all the technical matters relating to OpenStack. It replaces the "Project Policy Board" from the old governance. OpenStack Governance Elections Autumn 2012 Results <http://www.openstack.org/blog/2012/09/openstack-governance-elections-autumn…> The OpenStack community has elected the Project Technical Leads. Demo: Live Migration, without shared storage, using XenServer and OpenStack <http://blogs.citrix.com/2012/09/11/demo-live-migration-without-shared-stora…> Renuka Apte demonstrates the new OpenStack Folsom and Storage XenMotion to enables live migration of VMs, without shared storage, using XenServer and OpenStack. This week in Docs <http://lists.openstack.org/pipermail/openstack-docs/2012-September/000139.h…> Getting ready for Folsom release, the doc team went from 34 High folsom-targeted doc bugs two weeks ago to 17 on Monday. The documentation team is working hard to deliver always better documentation for OpenStack. See what else there is to be done. Security announcements * Keystone: Revoking a role does not affect existing tokens (CVE-2012-4413) <http://lists.openstack.org/pipermail/openstack-announce/2012-September/0000…> Tips and tricks * By Mark McCoughlin: Friday is for Yak Shaving <http://blogs.gnome.org/markmc/2012/09/14/friday-is-for-yak-shaving/> (experiences on using openstack-client over ssh tunnel) Upcoming Events * Help needed to organize the OpenStack devroom for *FOSDEM* 2013 <http://markmail.org/message/7ridfk4vgilz7slj> * OpenStack China Tour #1 <http://hui.csdn.net/MeetingInfo.aspx?mid=129> Sep 16, 2012 -- Bejing, China Details <http://hui.csdn.net/MeetingInfo.aspx?mid=129> * OpenStack China Tour #2 <http://hui.csdn.net/MeetingInfo.aspx?MID=135> Sep 22, 2012 -- Shenzen, China Details <http://hui.csdn.net/MeetingInfo.aspx?MID=135> * PyCon India 2012 <http://in.pycon.org/2012/funnel/pyconindia2012/48-openstack-open-source-sof…>, Sept 28-30 -- Bangalore, India, Details <http://in.pycon.org/2012/funnel/pyconindia2012/48-openstack-open-source-sof…> * OpenStack Summit <http://openstack.org/> Oct 15 -- 18, 2012 -- San Diego, CA Other news * Approaching OpenStack Folsom RC1 * OpenStack Project Meeting 2012-09-11: Summary <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-09-11-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-09-11-21.…> Welcome new contributors Celebrating the first patches submitted this week by: * pengyuwei * Clemens Perz * jokcylou * Derek Yarnell * Teng Li * Alessandro Tagliapietra * Chris Yeoh, IBM * Sirisha Devineni, Persistent /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

PTL elections results, Fall 2012
by Thierry Carrez 14 Sep '12

14 Sep '12

The OpenStack PTL election period is now over. The following people have been elected as Project Technical Leads for the upcoming 6-month Grizzly development cycle: Nova PTL: Vish Ishaya Swift PTL: John Dickinson Glance PTL: Brian Waldon Keystone PTL: Joe Heck Horizon PTL: Gabriel Hurley Quantum PTL: Dan Wendlandt Cinder PTL: John Griffith openstack-common PTL: Mark McLoughlin Note that elected PTLs are automatically granted a 6-month seat on the OpenStack Technical Committee. Congrats everyone ! -- Thierry Carrez (ttx) Election official

1 0