- OpenStack-announce - lists.openstack.org

[OSSA 2013-005] Keystone EC2-style authentication accepts disabled user/tenants (CVE-2013-0282)
by Thierry Carrez 19 Feb '13

19 Feb '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-005 CVE: CVE-2013-0282 Date: February 19, 2013 Keystone EC2-style authentication accepts disabled user/tenants Reporter: Nathanael Burton (National Security Agency) Products: Keystone Affects: All versions Description: Nathanael Burton reported a vulnerability in EC2-style authentication in Keystone. Keystone fails to check whether a user, tenant, or domain is enabled before authenticating a user using the EC2 api. Authenticated, but disabled users (or authenticated users in disabled tenants or domains) could therefore retain access rights that were thought removed. Only setups enabling EC2-style authentication are affected. To disable EC2-style authentication to work around the issue, remove the EC2 extension (keystone.contrib.ec2:Ec2Extension.factory) from the keystone API pipeline in keystone.conf. Grizzly (development branch) fix: https://review.openstack.org/#/c/22319/ Folsom fix: https://review.openstack.org/#/c/22320/ Essex fix: https://review.openstack.org/#/c/22321/ References: https://bugs.launchpad.net/keystone/+bug/1121494 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0282 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRI7nbAAoJEFB6+JAlsQQjGHgP/2yHBH4Yvzl3Q0P4oMr2Vskb 9xroi6sEQTgP/KaidIiV2lORdgSqYZZlylW3EbHnR1Io9natqCLfYkkEdpagTUxM WcYXAJtBHbHN+hpeGiYojPsV1LmgIX81UrausX1k5U1ZtFkvOhrfhcXWPOozREkM WwhYjaGl14dmIusE7h0uY7VNTiQMI9LAft18OfJMNFTwA/FmkxlPO/Jea8CUwDIl LSLv+MRFw2M01TnsAYlnFsa9O7175q2DpNPCqXYjh38ewNBJHuArtuASkA7hHrMA wYUzAS3lho9WuGVG/GwZk1V//GQhpzn/VWxRCmuOS3tpwTksbkXF36kwOnP5Vu5N uo9jLBAovHIqfr0QGXGYMXA9Bu9jW5geUIuDNvpKkAFIiQVS3JcDWsqsu7otgjHY HKUKmYF66BAJmmaM7aXPswGs61B6F3SLIZCneOp9N8PnT3PCR57++zMEjEWBYuLw E4BDKPa1k2Q822hxWizhXAmkfc5t+AVk2kKPa9a5sMY2oNNrqtRR4+jMjXiS9CmU gQs9VbXrmMy577zcCkzj7ci7fY0iFUtHW7PhFKUpHf2Mpr2/vLwc4p8g5da8bTwU 2swDuJ/KPsd66oEYjQW0CGBymMTkmbZWUX4InAj1ZynESW46cb/CAaS8oGk2I6dC F3MMfAjNkfhO9srLLNoC =fWOa -----END PGP SIGNATURE-----

1 0

[OSSA 2013-004] Information leak and Denial of Service using XML entities (CVE-2013-1664, CVE-2013-1665)
by Thierry Carrez 19 Feb '13

19 Feb '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-004 CVE: CVE-2013-1664, CVE-2013-1665 Date: February 19, 2013 Title: Information leak and Denial of Service using XML entities Reporter: Jonathan Murray (NCC Group), Joshua Harlow (Yahoo!), Stuart Stent Products: Keystone, Nova, Cinder (see note) Affects: All versions Description: Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent independently reported a vulnerabilities in the parsing of XML requests in Python XML libraries used in Keystone, Nova and Cinder. By using entities in XML requests, an unauthenticated attacker may consume excessive resources on the Keystone, Nova or Cinder API servers, resulting in a denial of service and potentially a crash (CVE-2013-1664). Authenticated attackers may also leverage XML entities to read the content of a local file on the Keystone API server (CVE-2013-1665). This only affects servers with XML support enabled. Note: The vulnerabilities are actually in the various affected Python XML libraries, but we provide OpenStack patches working around the issues. Grizzly (development branch) fixes: Nova: https://review.openstack.org/#/c/22309/ Cinder: https://review.openstack.org/#/c/22310/ Keystone: https://review.openstack.org/#/c/22315/ Folsom fixes: Nova: https://review.openstack.org/#/c/22312/ Cinder: https://review.openstack.org/#/c/22311/ Keystone: https://review.openstack.org/#/c/22314/ Essex fixes: Nova: https://review.openstack.org/#/c/22313/ Keystone: https://review.openstack.org/#/c/22316/ References: https://bugs.launchpad.net/nova/+bug/1100282 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1664 https://bugs.launchpad.net/keystone/+bug/1100279 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1665 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRI5+DAAoJEFB6+JAlsQQj2fQQALLE9GEOIRGcj9gXXQ5mDS3l /CWI6ljTlVWxXy143lAUbkpvW0AHx0S6wVU38Hh/wS6D3u4JpxC2lERcI6KB7XyF R6F7qWzdwulh+0GX9n+8rO0qLVkqhB6hn3bCVUKu20N+cromJHsSgzDU6lvVlUAU dwc9eFWmg2d7bpESUdltDo9yEnz0jXxzOpCseC5/zfSo5RnJU1Oi4ZaiXPzbRqqb bQzKRGevLddHAMKJnKrYvpg5471LQ8bC7rMYwq44c4HH0+ZhwQVgwyBxdeyNGISI kJ1LhTGlDdTN1SBV3QDc0//pai2tQtcY96sQJ+1FWl9wrAMft+hSyCmRlsX2O4O1 zbN/iUEVmZRP1/JuD8tk+TDUlBdTSZai3pV9bVlRQ7GWUKSreDI38T87d+ZZe0Uz f63hafBSKGqQ/GD8s5HnJopvGK1vY2zgiNuORJc5PH8iPo/75YVRM3Ct6lFwooIe uPow6AbydISEVUbsK1AcLESQ6Uq4CufsNUColi1o+2PRlc2/Jt/ZXaFx2LfsE6ka m6cXJMIZZ6Mrz6ogtYnEYDkzPPQ7/oLXzVxoS3NCoh/LLxs838eqiAZ+mVVboAaO LOARFrqYw8wfg45JLqQ2mb/Oe10hPZdMwc+lQa2ccDYLBJXkrMKz7vHW8W47bM1H i5g9RJ8pkA5wFKxBgfKj =pNuW -----END PGP SIGNATURE-----

1 0

OpenStack Community Weekly Newsletter (Feb 8 – 15)
by Stefano Maffulli 15 Feb '13

15 Feb '13

Highlights of the week Important CLA changes coming in 10 days <http://markmail.org/message/azrdwianmnt2j5oc> Starting on February 24, 2013 all contributors MUST review and agree to the new OpenStack Individual Contributor License Agreement and provide updated contact information at https://review.openstack.org/#/settings/agreements. On that day the Gerrit interface will be changing to present the new CLA text referring to the OpenStack Foundation, and will prompt you to agree to it there. Any previous agreement with OpenStack LLC will be marked expired at that time. The text of the new agreement is available for your convenience <https://review.openstack.org/static/cla.html> (just changes “LLC” to “Foundation” and corrects a few typographical errors). You must also sign up for an OpenStack Foundation Individual Membership with the same E-mail address as used for your Gerrit contact information: http://openstack.org/register/. OpenStack Object Storage (aka Swift) for new contributors <http://swiftstack.com/blog/2013/12/03/swift-for-new-contributors/> As a developer, jumping into a mature codebase can be somewhat daunting. How is the code structured? What is the request flow? What’s the process for getting my changes contributed upstream? Find answers to these questions on this post by SwiftStack. Evolution of the incubation process <http://lists.openstack.org/pipermail/openstack-tc/2013-February/000119.html> The Technical Committee approved a set of changes to the incubation process, the process through which a project becomes part of the co-ordinated, integrated OpenStack release. One of the visible change is the switch from using the term “Core projects” to “Integrated”. Upstream University at the OpenStack summit <http://dachary.org/?p=1846> Upstream University is organizing a session <http://upstream-university.org/apply/> in advance of the next OpenStack summit <http://www.openstack.org/summit/portland-2013/>, in Portland. If you can fly in two days ahead of the event to spend the weekend improving your OpenStack contribution skills, please consider submitting an application <http://upstream-university.org/apply/> to attend the workshop. Python trademark at risk in Europe: Python Foundation needs your help <http://pyfound.blogspot.co.uk/2013/02/python-trademark-at-risk-in-europe-we…> For anyone who works in a company that has an office in a EU Community member state, the Python Software Foundation needs your help. There is a company in the UK that is trying to trademark the use of the term “Python” for all software, services, servers… pretty much anything having to do with a computer. The PSF is asking a letter on company letterhead to forward to their EU counsel. More details on PSF <http://PSF/>News <http://pyfound.blogspot.co.uk/2013/02/python-trademark-at-risk-in-europe-we…>. Report of Openstack project on SF State University campus <http://commons.sfsu.edu/report-openstack-project-campus> Two students (Brandon Lai and Pascal Schuele) under supervision of prof. Sameer Verma worked on exploring the cloud computing space in Fall 2012. They built a demo/prototype of a private cloud platform on campus and presented at the end of the semester. Prof. Verma hopes to continue to expand this project in Spring 2013. Security Advisories * CVE-2013-0247 : Keystone denial of service through invalid token requests <http://secstack.org/2013/02/cve-2013-0247-keystone-denial-of-service-throug…> Tips and Tricks * By Matthias Runge <http://www.matthias-runge.de/>: How to create a custom theme for Horizon <http://www.matthias-runge.de/2013/02/15/how-to-create-a-custom-theme-for-ho…> * By Julien Danjou <http://julien.danjou.info/blog/>: Cloud tools for Debian <http://julien.danjou.info/blog/2013/cloud-init-utils-debian> * By Derek Higgins <http://goodsquishy.com/>: Looking for a Fedora 18 qcow2 image to use on openstack <http://goodsquishy.com/2013/02/fedora-18-qcow2-image/> Upcoming Events * Second Swiss OpenStack User Group Meeting <http://www.meetup.com/zhgeeks/events/97648722/> Feb 19, 2013 – Zurich, Switzerland Details <http://www.meetup.com/zhgeeks/events/97648722/> * SCALE 11x <https://www.socallinuxexpo.org/scale11x/> Feb 22 – 24, 2013 – Los Angeles, CA Details <https://www.socallinuxexpo.org/scale11x/> * OpenStack Delhi NCR Meetup <http://www.meetup.com/Indian-OpenStack-User-Group/events/102301202/> Feb 22, 2013 – India Details <http://www.meetup.com/Indian-OpenStack-User-Group/events/102301202/> * OpenStack in Production at Scale <http://www.meetup.com/meetup-group-NjZdcegA/events/103564202/> Feb 28, 2013 – Chicago, IL Details <http://www.meetup.com/meetup-group-NjZdcegA/events/103564202/> * Pulse Open Cloud Summit <http://www.ibmpulseblog.com/new-pulse-open-cloud-summit-arrive-early-on-sun…>Mar 03, 2013 – MGM Grand in Las Vegas, NV Details <http://www.ibmpulseblog.com/new-pulse-open-cloud-summit-arrive-early-on-sun…> * Pulse 2013 <https://www-01.ibm.com/software/tivoli/pulse/agenda/index.html> Mar 04 – 06, 2013 – Las Vegas, NV Details <https://www-01.ibm.com/software/tivoli/pulse/agenda/index.html> * OpenStack Day Tokyo 2013 <http://openstackdays.com/en/> Mar 12, 2013 – Tokyo, Japan Details <http://openstackdays.com/en/> * OpenStack Italia User Group: …dove eravamo rimasti? <http://www.meetup.com/OpenStack-User-Group-Italia/events/102481022/> Mar 14, 2013 – Milano, Italy Details <http://www.meetup.com/OpenStack-User-Group-Italia/events/102481022/> * OpenStack Object Storage (Swift) API Sprint at PyCon 2013 <https://us.pycon.org/2013/community/sprints/swift/> Mar 18, 2013 – Santa Clara, CA Details <https://us.pycon.org/2013/community/sprints/swift/> * OpenStack Developers Meetup <http://www.meetup.com/openstack-atlanta/> Mar 21, 2013 – Atlanta, GA Details <http://www.meetup.com/openstack-atlanta/> * 1st OpenStack User Group Nordics meetup <http://www.meetup.com/OpenStack-User-Group-Nordics/events/95258382/> Apr 03, 2013 – Kista, Sweden Details <http://www.meetup.com/OpenStack-User-Group-Nordics/events/95258382/> * OpenStack Summit April 2013 <http://www.openstack.org/summit/portland-2013/> Apr 15 – 18, 2013 – Portland, OR Details <http://www.openstack.org/summit/portland-2013/> * OpenStack Israel <http://www.openstack.org/> May 27, 2013 – Tel-Aviv, Israel Coming Soon <http://www.openstack.org/> Other News * February 12th OpenStack Foundation Board Meeting <http://blogs.gnome.org/markmc/2013/02/15/february-12th-openstack-foundation…> * XenAPINFS – Integrated with Glance <http://blogs.citrix.com/2013/02/12/xenapinfs-integrated-with-glance/> * OpenStack Project Meeting: Summary <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-02-12-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-02-12-21.…>. Welcome New Contributors Celebrating the first patches submitted this week by: * Tim Potter, HP * Jean-Baptiste RANSY, Alyseo * Nicholas Kuechler * Adalberto Medeiros, IBM /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

OpenStack Community Weekly Newsletter (Feb 1 – 8)
by Stefano Maffulli 08 Feb '13

08 Feb '13

Highlights of the week Best way to brag about contributing to Grizzly? Contributors to OpenStack Folsom received a nice patch to stick on something you carry every day like a backpack or your favorite sweater. Would you like to get a patch for Grizzly, too? Would you rather get something else to brag about your ‘Contributor’ status? Let us know your preferences. Packstack: Openstack Install tool <http://blog.flaper87.org/post/511441160f06d34258e8a6ac/> There is a new tool that installs Openstack either on bare metal or Vms: it can be found on github under the fedora-openstack organization. Packstack is currently in its first ages and still under heavy development but, it’s already capable of installing, customize some parameters and distribute most of the Openstack modules on a single server or several as well. It currently supports Red Hat based distros but there’s space for more. Testing <http://anteaya.info/blog/2013/02/07/testing/> (OpenStack) Anita Kuno <http://anteaya.info/>, one of our awesome intern of OPW program, tells the tales common to new developers learning about OpenStack developer’s community. In this new installation she tells us how she had to run some tests in /opt/stack/nova and every command failed. Why? She didn’t know. But now she does. Cloud Prizefight: OpenStack vs. VMware <http://www.mirantis.com/blog/cloud-prizefight-vmware-vs-openstack/> There have been many discussions in the cloud landscape comparing VMware and OpenStack. In fact, it’s one of the most popular topics among those thinking about using OpenStack. Mirantis’ Lee Xie judged the two in the following categories: design, features, use cases, and value. The categories are scored on a 10-point scale and then tallied to determine the winner. In a nutshell: How Does OpenStack work? <http://vmartinezdelacruz.com/in-a-nutshell-how-openstack-works/> Victoria Martínez de la Cruz <http://vmartinezdelacruz.com/>, another awesome intern of OPW program, uses pictures and words to explain in a blog post how OpenStack works. Security Advisories * Keystone denial of service through invalid token requests (CVE-2013-0247) <http://markmail.org/message/tan3hpm3rlpqb3rf> Tips and Tricks * By Adam Young <http://adam.younglogic.com/>: Using Puppet to setup PostgreSQL for Keystone on Fedora <http://adam.younglogic.com/2013/02/puppet-postgresql-keystone/> * By Victoria Martínez de la Cruz <http://vmartinezdelacruz.com/>: TryStack: OpenStack for fun and profit <http://vmartinezdelacruz.com/trystack-openstack-for-fun-and-profit/> Upcoming Events * OpenStack Mini-Conf at gnuNify <http://gnunify.in/2013/events/OpenStack_Mini_Conf> Feb 15, 2013 – Pune, India Details <http://gnunify.in/2013/event/OpenStack_Mini_Conf> * Second Swiss OpenStack User Group Meeting <http://www.meetup.com/zhgeeks/events/97648722/> Feb 19, 2013 – Zurich, Switzerland Details <http://www.meetup.com/zhgeeks/events/97648722/> * SCALE 11x <https://www.socallinuxexpo.org/scale11x/> Feb 22 – 24, 2013 – Los Angeles, CA Details <https://www.socallinuxexpo.org/scale11x/> * Pulse Open Cloud Summit <http://www.ibmpulseblog.com/new-pulse-open-cloud-summit-arrive-early-on-sun…> Mar 03, 2013 – MGM Grand in Las Vegas, NV Details <http://www.ibmpulseblog.com/new-pulse-open-cloud-summit-arrive-early-on-sun…> * Pulse 2013 <https://www-01.ibm.com/software/tivoli/pulse/agenda/index.html> Mar 04 – 06, 2013 – Las Vegas, NV Details <https://www-01.ibm.com/software/tivoli/pulse/agenda/index.html> * OpenStack Day Tokyo 2013 <http://openstackdays.com/en/> Mar 12, 2013 – Tokyo, Japan Details <http://openstackdays.com/en/> * OpenStack Swift API Sprint at PyCon 2013 <https://us.pycon.org/2013/community/sprints/swift/> Mar 18, 2013 – Santa Clara, CA Details <https://us.pycon.org/2013/community/sprints/swift/> * OpenStack Developers Meetup <http://www.meetup.com/openstack-atlanta/> Mar 21, 2013 – Atlanta, GA Details <http://www.meetup.com/openstack-atlanta/> * 1st OpenStack User Group Nordics meetup <http://www.meetup.com/OpenStack-User-Group-Nordics/events/95258382/> Apr 03, 2013 – Kista, Sweden Details <http://www.meetup.com/OpenStack-User-Group-Nordics/events/95258382/> * OpenStack Summit April 2013 <http://www.openstack.org/summit/portland-2013/> Apr 15 – 18, 2013 – Portland, OR Details <http://www.openstack.org/summit/portland-2013/> * OpenStack Israel <http://www.openstack.org/> May 27, 2013 – Tel-Aviv, Israel Coming Soon <http://www.openstack.org/> Reports From Past Events * TryStack.cn 2013 first meetup <http://www.openstack.org/blog/2013/02/trystack-cn-2013-first-meetup/> Other News * Q&A with Lucas Welch Senior Communications Manager at Opscode: What’s cooking at Opscode? <http://rafstack.tumblr.com/post/42590542410>Consumerization of IT or Death: OpenStack and Agile IT Operations <http://www.mirantis.com/blog/consumerization-of-it-or-zombie-meat-openstack…> * Altai v1.1.0 with LDAP/AD support <http://openstackgd.wordpress.com/2013/02/04/altai-v1-1-0-with-ldapad-suppor…> * OpenStack Board of Directors Talks: Episode 7 with Joshua McKenty, co-Founder and CTO of Piston Cloud Computing <http://rafstack.tumblr.com/post/42509862319> * OpenStack Project Meeting: Summary <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-02-05-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-02-05-21.…>. Welcome New Contributors Celebrating the first patches submitted this week by: * Kurt Martin, HP * Svetlana Shturm, Mirantis * Mitsuhiko Yamazaki, NEC * Andrea Frittoli, HP * James Morgan, Rackspace * Jesse Pretorius * Nathan Reller, JHU APL * Rami Vaknin, Redhat /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

unsubscribe
by Mark van den Bogaard 05 Feb '13

05 Feb '13

Met vriendelijke groeten, Mark van den Bogaard NLcom ICT Solutions T +31 (0)43 350 0190 F +31 (0)43 350 0192 E bogaard(a)nlcom.nl <mailto:bogaard@nlcom.nl> I www.nlcom.nl <http://www.nlcom.nl/> <http://www.facebook.com/nlcom> <http://twitter.com/nlcom> <http://www.linkedin.com/company/nlcom> Support: T +31 (0)43 3270555 Office: Hoogbrugplein 4, 6221 DB Maastricht KvK Zuid-Limburg: 14059477

1 0

[OSSA 2013-003] Keystone denial of service through invalid token requests (CVE-2013-0247)
by Thierry Carrez 05 Feb '13

05 Feb '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-003 CVE: CVE-2013-0247 Date: February 5, 2013 Title: Keystone denial of service through invalid token requests Reporter: Dan Prince (Red Hat) Products: Keystone Affects: All versions Description: Dan Prince of Red Hat reported a vulnerability in token creation error handling in Keystone. By requesting lots of invalid tokens, an unauthenticated user may fill up logs on Keystone API servers disks, potentially resulting in a denial of service attack against Keystone. Grizzly (development branch) fix: https://github.com/openstack/keystone/commit/8ec247bf61be0e487332d5d891246d… Folsom fix: https://github.com/openstack/keystone/commit/bb2226f944aaa38beb7fc08ce0a787… Essex fix: https://review.openstack.org/#/c/21216/ References: https://bugs.launchpad.net/keystone/+bug/1098307 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0247 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRETGUAAoJEFB6+JAlsQQjbC0QAIzjY1gNe/Lr2X+xDOvz+q2v 7O6Tn2ZV3X1/fgdVbicl4CVnNzkb3mbG1/pIEl7FbpSFfY6a3a8leJZD7u9bKB6z M4xNGXITGJoT7HBo8ABvDH4X6p5oA/LDkuCZVotY4SHa5xIYRcQk884DbnIYoGe7 zXEek352gHgX7m0DmABm8Pz8E+IpyFIp8rdPEv4w9EeVDJmjhZvcgsMhKZmNahph DyBMDvdGY7nXeurzI43tMdWHkqYCljq1qagLqzNxjXJj796FNixUdwnBfmvkRuDI XvNOGQEnwWMdwRhHgQm9C6o9Y8OYnA2XXLxjKhYuNOYT09c2ZPqhITuT1Aka8eg4 Xnqt6OnGLhA8qq0zYfRPGAZFXghQ20NqSDU4CaZntYS9bFUZjQegnKA9qmo2bdJp TbtE/UoZgDAxAvm5n0myHuT2nw75RCM0FWvbKA6VpgK2qikx77rK6/Y5M68F1288 hj7qxMUrbsj0aNBPoWkgpUdIzH3oLsvVq4tRxhSUGj06UIOtXo9QVpxRjmOU46eM HKKL0n2Gfmi+kXgJfUdlGeQjlYUnNIx4pljn0RHRwyc5nLGdLUTy6ufnRclYRKSY roS2qlrR+gDkKeHP3JS1zcdFblg/VKrAK5IN+JIeKRbZ+l/g2ghFemoVYjdduR3E IRB0CC4khRi7njgBdDl1 =CzsK -----END PGP SIGNATURE-----

1 0

OpenStack Community Weekly Newsletter (Jan 25 – Feb 1)
by Stefano Maffulli 01 Feb '13

01 Feb '13

Highlights of the week "H" stands for Havana <https://launchpad.net/%7Eopenstack/+poll/h-release-naming> The polls closed, *Havana* will be the code name for the OpenStack release following Grizzly. Contributing to OpenStack <http://www.icchasethi.com/?p=18> Rackspace’s Iccha Sethi conducted a workshop on Contributing to OpenStack. Look at the presentation on her blog. Quota Project: An effective way to manage the usage of your Swift-based storage cloud <http://www.zmanda.com/blogs/?p=1043> Quota is a production-ready project that is mainly used for controlling the usage of account and containers in OpenStack Swift. The Zmanda team talks about Swift Quota which has been used in StackLab <http://stacklab.org/>– a production public cloud for users to try out. OpenStack 2012.2.3 released <http://markmail.org/message/bgpbjlpadqjle57e> In the time since the Folsom release, the maintainer of OpenStack stable branch have been busy selectively back-porting bugfixes to the *stable*/folsom branch according to our “safe source of high-impact fixes” criteria <http://wiki.openstack.org/StableBranch>. These releases are bugfix updates to Folsom and are intended to be relatively risk free with no intentional regressions or API changes. Read the full Release Notes <http://wiki.openstack.org/ReleaseNotes/2012.2.3>. Access OpenStack Swift as an FTP/SFTP service <https://github.com/chmouel/ftp-cloudfs> ftp-cloudfs is a proxy service that can be used to access to the object storage with any regular FTP client. The project is mature now and it’s in production at Memset and other cloud storage providers. Sftp-cloudfs offers similar abstraction but for the SFTP. The code is on github for both projects https://github.com/chmouel/ftp-cloudfs and https://github.com/Memset/sftpcloudfs Looking for active reviewers — and inclusion in QA-core <http://markmail.org/message/wce54eimw6oowo2y> As the OpenStack projects grow, so does *Tempest*. While the team has been successful recently in improving the runtime of *Tempest* and getting full test suite runs gating other projects, the number of new code submissions to *Tempest* has exploded recently as more contributors find their way to *Tempest*. What this means is that the team needs more people that do reviews. Security Advisories * Backend password leak in Glance error message (CVE-2013-0212) <http://markmail.org/message/r2vvh6c4vw22hlr4> * Boot from volume allows access to random volumes (CVE-2013-0208) <http://markmail.org/message/xyezeqgexg2dbqzh> Tips and tricks * By Laura Alves <http://ladquin.dreamwidth.org/>: Let’s get technical: RESTful APIs <http://ladquin.dreamwidth.org/982.html> Upcoming Events * FOSDEM’13 <https://fosdem.org/2013/schedule/track/cloud/> Feb 02 – 03, 2013 – Bruxelles, Belgium Cloud track <https://fosdem.org/2013/schedule/track/cloud/> * OpenStack Mini-Conf at gnuNify <http://gnunify.in/2013/events/OpenStack_Mini_Conf> Feb 15, 2013 – Pune, India Details <http://gnunify.in/2013/event/OpenStack_Mini_Conf> * Second Swiss OpenStack User Group Meeting <http://www.meetup.com/zhgeeks/events/97648722/> Feb 19, 2013 – Zurich, Switzerland Details <http://www.meetup.com/zhgeeks/events/97648722/> * SCALE 11x <https://www.socallinuxexpo.org/scale11x/> Feb 22 – 24, 2013 – Los Angeles, CA Details <https://www.socallinuxexpo.org/scale11x/> * Pulse 2013 <https://www-01.ibm.com/software/tivoli/pulse/agenda/index.html> Mar 03 – 06, 2013 – Las Vegas, NV Details <https://www-01.ibm.com/software/tivoli/pulse/agenda/index.html> * OpenStack Day Tokyo 2013 <http://openstack.jp/events/osdt2013.html> Mar 12, 2013 – Tokyo, Japan Details <http://openstack.jp/events/osdt2013.html> * OpenStack Developers Meetup <http://www.meetup.com/openstack-atlanta/> Feb 21, 2013 – Atlanta, GA Details <http://www.meetup.com/openstack-atlanta/> * OpenStack Israel <http://www.openstack.org/> May 27, 2013 – Tel-Aviv, Israel Coming Soon <http://www.openstack.org/> Other news * Mark McLoughlin’s notes from his First Board Meeting <http://blogs.gnome.org/markmc/2013/01/31/first-board-meeting/> * OpenStack Board of Directors Talks: Episode 6 with Tim Bell, Infrastructure Manager at CERN <http://rafstack.tumblr.com/post/41937749759> * OpenStack Project Meeting: Summary <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-01-29-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-01-29-21.…>. Welcome new contributors Celebrating the first patches submitted this week by: * Paul Michali, Cisco * Motonobu Ichimura * umamohan, HP * Roman Prykhodchenko, Mirantis /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

[ANNOUNCE] OpenStack 2012.2.3 released
by Mark McLoughlin 31 Jan '13

31 Jan '13

Hey, In the time since the Folsom release, we have been busy selectively back-porting bugfixes to the stable/folsom branch according to our "safe source of high-impact fixes" criteria documented here: http://wiki.openstack.org/StableBranch We're happy to announce the 2012.2.3 release, the latest in the series of releases to make available the bugfixes from stable/folsom. These releases are bugfix updates to Folsom and are intended to be relatively risk free with no intentional regressions or API changes. A total of 51 bugs have been fixed in this release. The list of bugs fixed can be seen here: https://launchpad.net/nova/folsom/2012.2.3 https://launchpad.net/glance/folsom/2012.2.3 https://launchpad.net/keystone/folsom/2012.2.3 https://launchpad.net/cinder/folsom/2012.2.3 https://launchpad.net/quantum/folsom/2012.2.3 https://launchpad.net/horizon/folsom/2012.2.3 Please read (and add to!) the release notes at: http://wiki.openstack.org/ReleaseNotes/2012.2.3 Enjoy! Mark.

1 0

[OSSA 2013-002] Backend password leak in Glance error message (CVE-2013-0212)
by Thierry Carrez 29 Jan '13

29 Jan '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-002 CVE: CVE-2013-0212 Date: January 29, 2013 Title: Backend password leak in Glance error message Reporter: Dan Prince (Red Hat) Products: Glance Affects: All versions Dan Prince of Red Hat discovered an issue in Glance error reporting. By creating an image in Glance by URL that references a mis-configured Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image references for any reason becomes unusable, an authenticated user may access the Glance operator's Swift credentials for that endpoint. Only setups that use the single-tenant Swift store are affected. Grizzly (development branch) fix: http://github.com/openstack/glance/commit/e96273112b5b5da58d970796b7cfce04c… Folsom fix (included in upcoming Glance 2012.2.3 stable update): http://github.com/openstack/glance/commit/96a470be64adcef97f235ca96ed3c59ed… Essex fix: http://github.com/openstack/glance/commit/37d4d96bf88c2bf3e7e9511b5e321cf4b… References: https://bugs.launchpad.net/glance/+bug/1098962 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0212 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRCCvqAAoJEFB6+JAlsQQj9scP/1bQzhQ5lA/jNoPIPMlUKOr4 NlrT9+QA6pF3xOjTQeyViTTUfMn1YHdOTS8bi/NeSlL3UuEhpdCb59APwqmZva3u Tx+so6L3nc5qNRdDAAr6oNBYmD08T41ceLpzjv9BbTgPxD4gUCg9WeySBAa+I7MU 1w1hvhObhQWZ8Xvqf/2tKTrMpGuJOS/0aoMSQUMqFR47moyYgBznNT6J3FaC3haE jRh4RSv7XKN2MU0Cv05m/txXNUTP6rtl+qAiGW9UZvhTHY/kafaJLi/HuGkmANf0 fkuoKL5VxFYoIbHDlJ+ymPUz/jgoZJNkvvmS5mQH7YFBdgAvzAIAYJ4jk8uOMMmo AHqaVdfZYCWRP6pMDzjnU5EGhRrgt2RafWsnU8MyYePrF3G8dcikvQlIki+PlmPT +zXjPoIsirFJh3XSTRNbUDwIww6AuBbhxgJD78NhQY/12MC5zELOasWcpTKPyvLs HTIe8AbVLf5Z0blZdUZHGlzFBQlgPU3ydIjY1UStWPYNCQs2hTrtoq9y68LmDzix jRQ3jmKhMGsLwlrcskSyD/1qGGD6NNPRJwME7pXspy7mBlN0LS9OLRwhYHTzNGwx YTSKhy12xooqYkaJncZEduTBKwMJLMwk/HZxD7KRuKPM7xoK64mkyz/03rUsQORj na6Kqw9rcPfJG0jfh3/c =PyUp -----END PGP SIGNATURE-----

1 0

[OSSA 2013-001] Boot from volume allows access to random volumes (CVE-2013-0208)
by Thierry Carrez 29 Jan '13

29 Jan '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-001 CVE: CVE-2013-0208 Date: January 29, 2013 Title: Boot from volume allows access to random volumes Reporter: Phil Day (HP) Products: Nova Affects: Essex, Folsom Description: Phil Day from HP reported a vulnerability in volume attachment in nova-volume, affecting the boot-from-volume feature. By passing a specific volume ID, an authenticated user may be able to boot from a volume he doesn't own, potentially resulting in full access to that 3rd-party volume contents. Folsom setups making use of Cinder are not affected. Folsom fix (included in upcoming Nova 2012.2.3 stable update): http://github.com/openstack/nova/commit/317cc0af385536dee43ef2addad50a91357… Essex fix: http://github.com/openstack/nova/commit/243d516cea9d3caa5a8267b12d2f577dcb2… References: https://bugs.launchpad.net/nova/+bug/1069904 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0208 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRCCZCAAoJEFB6+JAlsQQjDSYQALrBUhPwUbxFtVrTSGhjDK7A Donl1ykZy1CtsykGiXa5NuREw+xtoKZl/NteLDVRo/C0tWcGe2L2rk5FxMboKdRu 2I0CXXQ65liHySvZqzlZE6M5TfAhGWCJBOpZArbF6PcB/ZP/F/a/2/BU6HbHonSn g58Lq8wKK2JErU5djee9B22wkUTlxiZv2JThOGr/VRoR2F3Zxdmd3UbBC+9Db5tg OQMBHlGLXgSCvUZBkzMZwyfxvovf6fpTlmFU/8Ff9OWA4fMxtpsybIcD9BoaLZAd 2U2/f5qoIbh3soZGF5DH1ucVym0js8NtAf9E+9FVzg2SfHX0sF8Qo1sLowEb/43d n8WdBQBYLzfLjKqDGkvNUjfhDHkzO6ujekUQCdMtADBk1tBI6IdfSzyJkhMWXF5S Rs3Fpkr1gkXq0xuNf9UQPuA1op2TiBxKa5Z8svOfXnHa7m/NOsYHJ3S4hL5e9E6S osJ5LlZDvX+xUGIzRTpViAx0YGwNykRlInhtLJrAoKLWWV/3EA9ap4Bl6XB/ZFsO UbUeCDGpepAianOnx2S6p7JhERkcT7R0DHVWI7b5U5hPemt1B6bfkTzgwpwIstDv XtSwzVvUuNMfDUG2bMSfXmPqdzZBwdh4iKjIJzT5PecFQ5qBOJOvhF5/aCB2UtI2 LaVsd1b7v/7C3ln4j/bB =eX8i -----END PGP SIGNATURE-----

1 0