May 2013 - OpenStack-announce - lists.openstack.org

[OSSA 2013-010] Nova uses insecure keystone middleware tmpdir by default (CVE-2013-2030)
by Thierry Carrez 09 May '13

09 May '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-010 CVE: CVE-2013-2030 Date: May 9, 2013 Title: Nova uses insecure keystone middleware tmpdir by default Reporter: Grant Murphy (Red Hat), Anton Lundin Products: Nova Affects: Folsom, Grizzly Description: Grant Murphy from Red Hat and Anton Lundin both independently reported a vulnerability in Nova's default location for the Keystone middleware signing directory (signing_dir). By previously setting up a malicious directory structure, an attacker with local shell access on the Nova node could potentially issue forged tokens that would be accepted by the middleware. Only setups that use the default value for signing_dir are affected. Note that future versions of the Keystone middleware will issue a warning if an insecure signing directory is used. Havana (development branch) fix: https://review.openstack.org/#/c/28568/ Grizzly fix: https://review.openstack.org/#/c/28569/ Folsom fix: https://review.openstack.org/#/c/28570/ References: https://bugs.launchpad.net/nova/+bug/1174608 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2030 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRi72dAAoJEFB6+JAlsQQjJZAQAJ5w/+BoBD4em8YklBsxU6wU Bn1wWu3W5ngCNuHwr4ydWzC3U1TT1zWtogWJpv/+87m2KPESWhs7YGCkTIE9tLpA sNOniOG9hGUsWwRgtUqjA8/8QzLgbNJ/PDJx0lrNPNkvMbHwP/jxotx353edhelQ QAPJwVPBqu0vn2VZOeFWYNO/AnWNcjTXE0po92qaFvw3HWL3ykMd30w4Ejxv9clC VjBjaNkReSkmcd/BaArtr1IenyYyVqM7nv/VWl5O5Up02+uvAozDmy6Cyc1O5VOW 6m9nRH2WKE/bFXcTEG4rpH+/BZxG2RuyklUBvVtSaEAQOWYFSwQKzjxGM3rItsWt iuQYrakl6H69tRS3HS9pAXWdxSikSb8CqmVJauf3RG1/EQ7GtCO0kXVPi8fYBaTX GpLmpY8bj6o2iY1Kh1bozZ2oYVLgPrhP2R4oj+4iaSN++gy2qs0d3AvIK0BzBKT+ fd7wAUpdxltM9eZS82VEQxIaOGUDqnGompEu3nPRv9KD5kZqgz/L/jp5I+PR3y1D Uaj8W+FfF/AZtMRLJHl3I0kUHRhfuIusir5zja7UCoR6UEeipLvBzbi/DSGfBCRY /VbBv9ZZBeQ+Kw4EwS4/7G5nw1RX4/bKGSi0zcwwmD2unB7Plm9MjI65yR4oFidl uOpCYFwNk6PqCFED/mCz =wjZ/ -----END PGP SIGNATURE-----

1 0

OpenStack Grizzly documentation released 4/30/13
by Anne Gentle 06 May '13

06 May '13

Hi all, We have released a version of the OpenStack official documentation for grizzly and it is now available at http://docs.openstack.org/grizzly. We continue to update docs through our continuous publishing process so feedback is always welcome. Sorry for the delayed announcement. The release happened 4/30, less than a month after the code release. Contributor docs at http://docs.openstack.org/developer/ are completed at the same time as the code release, but operator and deployer documentation takes a little more time to bake and test. If you have questions about how OpenStack documentation is maintained or would like to get involved, see http://wiki.openstack.org/Documentation/HowTo. We had nearly 80 contributors to the documentation for the Grizzly release. Thanks to everyone who helped create and maintain accurate information for OpenStack. Thanks, Anne --- Anne Gentle Rackspace Content Stacker

1 0

OpenStack Community Weekly Newsletter (Apr 25 – May 3)
by Stefano Maffulli 03 May '13

03 May '13

Introducing Murano: Bringing Windows Environments to OpenStack <http://www.mirantis.com/blog/introducing-murano-bringing-windows-environmen…> In response to growing demand for deploying and running Windows based applications on OpenStack cloud, the team at Mirantis started Murano <https://wiki.openstack.org/wiki/Murano>: a native OpenStack component that enables fast provisioning and operation of Windows Environments on demand. Who Wrote OpenStack Grizzly Docs? <http://justwriteclick.com/2013/04/26/who-wrote-openstack-grizzly-docs/> Sneaking a peek at the numbers for documentation along with the code should show us pointers about docs keeping up with code. Anne Gentle <http://justwriteclick.com/> dives into the documentation with data and insights. “I” release cycle naming <https://wiki.openstack.org/wiki/Release_Naming#.22I.22_release_cycle_naming> The next OpenStack summit will happen in Hong Kong. That creates a pretty challenging naming problem, since there is no word starting with “i’ in classic transliteration of Chinese words. So the Technical Committee is willing to bend the rules /a little/ to extend the range of candidates… Feel free to add suggestions to the list on the wiki. Stacker Voices: Monty Taylor, HP <http://engineering.cloudscaling.com/stacker-voices-monty-taylor-hp/> Cloudscaling Engineering <http://engineering.cloudscaling.com/> talked with Monty Taylor of HP (reaching rockstar status also with a wired.com <http://www.wired.com/> profile <http://www.wired.com/wiredenterprise/2013/04/new-hackers-taylor/> this week) at the OpenStack Summit in Portland. Monty leads the CI (continuous innovation) project for OpenStack. In that role, he and his group have built testing systems that have made it possible for the OpenStack project to scale from a few dozen contributors for the Bexar release to more than 700 developers now pushing hundreds of patches daily to OpenStack. Watch the video on YouTube <http://www.youtube.com/watch?v=eqw4zxqPelc>. A little tracing hack <http://markmail.org/message/kjv4kry67732nawb> Timothy Daly at Yahoo! added metrics and tracing for OpenStack and released tomograph <https://github.com/timjr/tomograph>: a tool to see what and how OpenStack is doing behind the curtains. Contribute to OpenStack Activity Board <http://www.openstack.org/blog/2013/05/contribute-to-openstack-activity-boar…> We’ve released the complete documentation <http://activity.openstack.org/data/display/WIKIDS/Home> for OpenStack Insights <http://activity.openstack.org/data/>, with binaries and source code downloadable from Sourceforge <https://sourceforge.net/projects/wikidsopenstack> while the OpenStack Dash <http://activity.openstack.org/dash/> tools are the vanilla MetricsGrimoire <http://metricsgrimoire.github.io/> set hosted on github <https://github.com/MetricsGrimoire>. The code is free as in freedom so you’re welcome to play with it. How to run pylint with few false positives <http://cloudystuffhappens.blogspot.com/2013/04/how-to-run-pylint-with-few-f…> Testing your python code can get complex and with pylint, you /will /see false positives, meaning it will complain some lines as bugs that are actually correct. lintstack is designed to address this problem: *reduce false positives from pylint as much as possible without sacrificing accuracy*. Yun Mao <http://cloudystuffhappens.blogspot.com/search/label/openstack> describes how lintstack works. Report from Previous Events * By Alessio Ababilov <http://aababilov.wordpress.com/>: OpenStack Summit April 2013: a First Experience <http://aababilov.wordpress.com/2013/05/02/openstack-summit-april-2013-a-fir…> * By Amar Kapadia <http://www.buildcloudstorage.com/>: Coming of Age of Swift <http://blogs.evault.com/cloud-connected-recovery/cloud-connected-storage/op…>. Tips and Tricks * By Adam Young <http://adam.younglogic.com/>: Kerberizing PostgreSQL with FreeIPA for Keystone <http://adam.younglogic.com/2013/05/kerberizing-postgresql-with-freeipa-for-…> * By Giulio Fidente <http://giuliofidente.com/>: OpenStack Cinder – Add more volume nodes <http://giuliofidente.com/2013/04/openstack-cinder-add-more-volume-nodes.html> * By Flavio Percoco <http://blog.flaper87.org/>: Dynamic TTL Collection in Mongodb for Marconi <http://blog.flaper87.org/post/517c3ea50f06d3497faffe5a/> OpenStack In The Wild A new section of the weekly newsletter dedicated to users of OpenStack. If you want to showcase how OpenStack helps you (or you know somebody that uses OpenStack) please let us know: email <mailto:communitymngr@openstack.org>, twitter <http://twitter.com/openstack>, reddit <http://www.reddit.com/r/openstack/> or avian carrier <http://en.wikipedia.org/wiki/IP_over_Avian_Carriers> will do). Meanwhile watch the keynotes from Portland Summit: * Bloomberg User Spotlight <http://www.openstack.org/summit/portland-2013/session-videos/presentation/k…> * Keynote: Comcast User Spotlight <http://www.openstack.org/summit/portland-2013/session-videos/presentation/k…> * Keynote: Best Buy User Spotlight <http://www.openstack.org/summit/portland-2013/session-videos/presentation/k…> * Keynote: Clouds in High Energy Physics <http://www.openstack.org/summit/portland-2013/session-videos/presentation/k…> * Keynote: OpenStack at the National Security Agency (NSA) <http://www.openstack.org/summit/portland-2013/session-videos/presentation/k…> Upcoming Events * OpenStack meeting in Cologne <http://www.meetup.com/OpenStack-DACH/events/108876542/> May 04, 2013 – Cologne, Germany Details <http://www.meetup.com/OpenStack-DACH/events/108876542/> * OpenStack Atlanta Meetup <http://www.meetup.com/openstack-atlanta/events/107062982/> May 16, 2013 – Atlanta, USA Details <http://www.meetup.com/openstack-atlanta/events/107062982/> * OpenStack Dublin Meetup <http://www.meetup.com/OpenStack-Ireland/events/116567022/> May 22, 2013 – Dublin, Ireland Details <http://www.meetup.com/OpenStack-Ireland/events/116567022/> * OpenStack DACH Day <http://www.prweb.com/releases/2013/3/prweb10526716.htm> May 24, 2013 – Berlin Fairgrounds Details <http://www.prweb.com/releases/2013/3/prweb10526716.htm> * OpenStack India Meetup <http://www.meetup.com/Indian-OpenStack-User-Group/events/117132352/> May 26, 2013 – Bangalore, India at Anuta Network Details <http://www.meetup.com/Indian-OpenStack-User-Group/events/117132352/> * OpenStack Israel <http://www.meetup.com/IGTCloud/events/99146542/> May 27, 2013 – Tel-Aviv, Israel Details <http://www.openstack-israel.org/> * OpenStack CEE Day <http://www.openstack.org/> May 29, 2013 – Budapest Details <http://www.openstack.org/> * Building an OpenStack Cloud <http://www.meetup.com/meetup-group-NjZdcegA/events/108731562/> May 30, 2013 – Chicago, IL Details <http://www.meetup.com/meetup-group-NjZdcegA/events/108731562/> * OpenStack meeting in Munich <http://www.meetup.com/openstack-de/events/109700562/> Jun 11, 2013 – Munich, Germany Details <http://www.meetup.com/openstack-de/events/109700562/> * GigaOM Structure <http://event.gigaom.com/structure/> Jun 19 – 20, 2013 – San Francisco, CA Details <http://event.gigaom.com/structure/> * OSCON 2013 <http://www.oscon.com/oscon2013> Jul 22 – 26, 2013 – Portland, OR Details <http://www.oscon.com/oscon2013> Other News * A brief introduction to Keystone and PKI Tokens <http://www.enovance.com/fr/blog/5641/keystone-pki-tokens> * Glance wants to go public <http://blog.flaper87.org/post/517da0e10f06d35562ce7376/>: the future of OpenStack Image Service * OpenStack Common Vulnerability Database <http://secstack.org/2013/04/openstack-common-vulnerability-database/> * OpenStack Project Meeting: Summary <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-04-30-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-04-30-21.…> o /HELP/: please participate to the thread that Gabriel started on API version discovery <http://markmail.org/message/xn7cyjskq2wznqhj> Welcome New Developers * Shawn Hartsock, VMwware * David Martin, redbrick health Got answers? Ask OpenStack <https://ask.openstack.org/> is the go-to destination for OpenStack users. Interesting questions waiting for answers: * openstack tries to use cache=none when using glusterfs, when it should be writethrough <https://ask.openstack.org/question/758/openstack-tries-to-use-cachenone-whe…> * Ceilometer BinApiTestCase fails with 503 error connecting to localhost <https://ask.openstack.org/question/669/ceilometer-binapitestcase-fails-with…> * Why do I get “Could not find token” error using Swift with s3 API? <https://ask.openstack.org/question/661/why-do-i-get-could-not-find-token-er…> * What p2v (physical to Virtual) capabilities does OpenStack have? <https://ask.openstack.org/question/651/what-p2v-physical-to-virtual-capabil…> * Why isn’t OpenStack Swift sending metrics to Statsd server? <https://ask.openstack.org/question/755/why-isnt-openstack-swift-sending-met…> * “Package ‘openstack-keystone’ isn’t signed with proper key” installing OpenStack on CentOS 6.4 <https://ask.openstack.org/question/747/package-openstack-keystone-isnt-sign…> /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0