- OpenStack-announce - lists.openstack.org

[OSSA 2014-021] User token leak to message queue in pyCADF notifier middleware (CVE-2014-4615)
by Tristan Cacqueray 25 Jun '14

25 Jun '14

OpenStack Security Advisory: 2014-021 CVE: CVE-2014-4615 Date: June 25, 2014 Title: User token leak to message queue in pyCADF notifier middleware Reporter: Zhi Kun Liu (IBM) Products: Neutron (2014.1 versions up to 2014.1.1) Ceilometer (2013.2 versions up to 2013.2.3, 2014.1 versions up to 2014.1.1) pyCADF library (all versions up to 0.5.0) Description: Zhi Kun Liu from IBM reported a vulnerability in the notifier middleware available in the PyCADF library and formerly copied into Neutron and Ceilometer code. An attacker with read access to the message queue may obtain authentication tokens used in REST requests (X_AUTH_TOKEN) that goes through the notifier middleware. All services using the notifier middleware configured after the auth_token middleware pipeline are impacted. pyCADF fix (included in 0.5.1 release): https://review.openstack.org/94878 (pyCADF) Juno (development branch) fix: https://review.openstack.org/94891 (Neutron) Icehouse fix: https://review.openstack.org/101097 (Neutron) https://review.openstack.org/96944 (Ceilometer) Havana fix: https://review.openstack.org/101799 (Ceilometer) Notes: Ceilometer Juno (master) branch is not affected. Those fixes will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4615 https://launchpad.net/bugs/1321080 -- Tristan Cacqueray OpenStack Vulnerability Management Team

1 0

OpenStack Community Weekly Newsletter (June 13 - 20)
by Stefano Maffulli 20 Jun '14

20 Jun '14

1 0

[OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header (CVE-2014-3497)
by Tristan Cacqueray 19 Jun '14

19 Jun '14

OpenStack Security Advisory: 2014-020 CVE: CVE-2014-3497 Date: June 19, 2014 Title: XSS in Swift requests through WWW-Authenticate header Reporter: Globo.com Security Team Products: Swift Versions: 1.11.0 to 1.13.1 Description: Globo.com Security Team reported a vulnerability in Swift's header value escaping. By tricking a Swift user into clicking a malicious URL, a remote attacker may inject data in Swift response while still appearing to come from the Swift server, potentially leading to other client-side vulnerabilities. All Swift setups are affected. Juno (development branch) fix: https://review.openstack.org/101031 Icehouse (1.13.*) fix: https://review.openstack.org/101032 Notes: This fix will be included in the upcoming 2.0.0 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3497 https://launchpad.net/bugs/1327414 --· Tristan Cacqueray OpenStack Vulnerability Management Team

1 0

[OSSA 2014-019] Neutron L3-agent DoS through IPv6 subnet (CVE-2014-4167)
by Tristan Cacqueray 18 Jun '14

18 Jun '14

OpenStack Security Advisory: 2014-019 CVE: CVE-2014-4167 Date: June 18, 2014 Title: Neutron L3-agent DoS through IPv6 subnet Reporter: Thiago Martins (HP) Products: Neutron Versions: up to 2013.2.3, and 2014.1 Description: Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 addresses from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected. Juno (development branch) fix: https://review.openstack.org/88584 Icehouse fix: https://review.openstack.org/95938 Havana fix: https://review.openstack.org/95939 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4167 https://launchpad.net/bugs/1309195 -- Tristan Cacqueray OpenStack Vulnerability Management Team

1 0

OpenStack Community Weekly Newsletter (June 6 – 13)
by Stefano Maffulli 13 Jun '14

13 Jun '14

1 0

[OSSA 2014-018] Keystone privilege escalation through trust chained delegation (CVE-2014-3476)
by Tristan Cacqueray 12 Jun '14

12 Jun '14

OpenStack Security Advisory: 2014-018 CVE: CVE-2014-3476 Date: June 12, 2014 Title: Keystone privilege escalation through trust chained delegation Reporter: Steven Hardy (Red Hat) Products: Keystone Versions: up to 2013.2.3, and 2014.1 to 2014.1.1 Description: Steven Hardy from Red Hat reported a vulnerability in Keystone chained delegation. By creating a delegation from a trust or OAuth token, a trustee may abuse the identity impersonation against keystone and circumvent the enforced scope, resulting in potential elevated privileges to any of the trustor's projects and or roles. All Keystone deployments configured to enable trusts are affected, which has been the default since Grizzly. Juno (development branch) fix: https://review.openstack.org/99687 Icehouse fix: https://review.openstack.org/99700 Havana fix: https://review.openstack.org/99703 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3476 https://launchpad.net/bugs/1324592 -- Tristan Cacqueray OpenStack Vulnerability Management Team

1 0

Juno-1 development milestone available
by Thierry Carrez 12 Jun '14

12 Jun '14

Hi everyone, The first milestone of the Juno development cycle, "juno-1" is now available for Keystone, Glance, Nova, Horizon, Neutron, Cinder, Ceilometer, Heat, Trove, and Sahara. It contains all the new features that have been added since the Icehouse Feature Freeze in March. You can find the full list of new features and fixed bugs, as well as tarball downloads, at: https://launchpad.net/keystone/juno/juno-1 https://launchpad.net/glance/juno/juno-1 https://launchpad.net/nova/juno/juno-1 https://launchpad.net/horizon/juno/juno-1 https://launchpad.net/neutron/juno/juno-1 https://launchpad.net/cinder/juno/juno-1 https://launchpad.net/ceilometer/juno/juno-1 https://launchpad.net/heat/juno/juno-1 https://launchpad.net/trove/juno/juno-1 https://launchpad.net/sahara/juno/juno-1 Including the oslo libraries, 51 blueprints were implemented and no less than 910 bugs were fixed during this milestone. The relatively-low number of features implemented in this milestone can be explained by the recent switch, for most of our integrated projects, to a more formal upfront review of feature design. The next development milestone, juno-2, is scheduled for July 24th. You can further track upcoming features and Juno release cycle status at: http://status.openstack.org/release/ Regards, -- Thierry Carrez (ttx)

1 0

OpenStack 2014.1.1 released
by Alan Pevec 09 Jun '14

09 Jun '14

Hello everyone, The OpenStack Stable Maintenance team is happy to announce the release of the 2014.1.1 stable Icehouse release. We have been busy reviewing and accepting backported bugfixes to the stable/icehouse branches according to the criteria set at: https://wiki.openstack.org/wiki/StableBranch A total of 79 bugs have been fixed across all projects. These updates to Icehouse are intended to be low risk with no intentional regressions or API changes. The list of bugs, tarballs and other milestone information for each project may be found on Launchpad: https://launchpad.net/ceilometer/icehouse/2014.1.1 https://launchpad.net/cinder/icehouse/2014.1.1 https://launchpad.net/glance/icehouse/2014.1.1 https://launchpad.net/heat/icehouse/2014.1.1 https://launchpad.net/horizon/icehouse/2014.1.1 https://launchpad.net/keystone/icehouse/2014.1.1 https://launchpad.net/neutron/icehouse/2014.1.1 https://launchpad.net/nova/icehouse/2014.1.1 OpenStack Database Service (Trove) did not have stable/icehouse fixes at this time and will skip 2014.1.1 release. Release notes may be found on the wiki: https://wiki.openstack.org/wiki/ReleaseNotes/2014.1.1 The freeze on the stable/icehouse branches will be lifted today as we begin working toward the 2014.1.2 release, planned for Aug 7 release and managed by Chuck Short. Thanks, Alan

1 0

OpenStack Community Weekly Newsletter (May 30 – June 6)
by Stefano Maffulli 06 Jun '14

06 Jun '14

1 0

OpenStack Community Weekly Newsletter (May 23 – 30)
by Stefano Maffulli 30 May '14

30 May '14

1 0