- OpenStack-announce - lists.openstack.org

[OSSA 2012-017] Authentication bypass for image deletion (CVE-2012-4573)
by Russell Bryant 08 Nov '12

08 Nov '12

OpenStack Security Advisory: 2012-017 CVE: CVE-2012-4573 Date: November 7, 2012 Title: Authentication bypass for image deletion Impact: High Reporter: Gabe Westmaas (Rackspace) Products: Glance Affects: Essex, Folsom, Grizzly Description: Gabe Westmaas from Rackspace reported a vulnerability in Glance authentication of image deletion requests. Authenticated users may be able to delete arbitrary, non-protected images from Glance servers. Only Folsom/Grizzly deployments that expose the v1 API are affected by this vulnerability. Additionally, Essex deployments that use the delayed_delete option are also affected. Fixes: Grizzly: https://github.com/openstack/glance/commit/6ab0992e5472ae3f9bef0d2ced410306… 2012.2 (Folsom): https://github.com/openstack/glance/commit/90bcdc5a89e350a358cf320a03f5afe9… 2012.1 (Essex): https://review.openstack.org/#/c/15562/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4573 https://bugs.launchpad.net/glance/+bug/1065187 Notes: This fix will be included in the grizzly-1 development milestone and in a future 2012.2 (Folsom) release. -- Russell Bryant OpenStack Vulnerability Management Team

1 1

OpenStack Community Weekly Newsletter (Oct 26-Nov 2)
by Stefano Maffulli 02 Nov '12

02 Nov '12

Highlights of the week Videos of OpenStack Summit Fall 2012 published <http://www.openstack.org/summit/san-diego-2012/openstack-summit-sessions/> The Summit was packed with amazing content, including user stories from Cisco WebEx, Living Social and CERN, 100+ developer working sessions and two full days of workshops. We now have more than 80 videos ready to view <http://www.openstack.org/summit/san-diego-2012/openstack-summit-sessions/> from the keynotes and breakout presentations: What did you like and how would you improve the OpenStack Summit? <https://www.surveymonkey.com/s/OpenStackFall2012> We're working hard to make each Summit better than the last. Please help us by taking this quick survey about your experience in San Diego <https://www.surveymonkey.com/s/OpenStackFall2012> by Friday, November 9. Welcome StackMeat.org <http://stackmeat.org/blog/welcome-stackmeatorg> Born from a personal itch by Márton Kiss, he contributed a central place where to find informations about existing projects of wider OpenStack ecosystem. CloudEnvy -- vagrant for OpenStack <http://www.rhonabwy.com/wp/2012/10/28/cloudenvy-vagrant-for-openstack/> What's CloudEnvy? Joe Heck <http://www.rhonabwy.com/wp> says it is "the most interesting illustration of CloudEnvy is using it to spin up an instance in a cloud, and then run devstack <https://github.com/openstack-dev/devstack> in that instance." EMEA OpenStack Day: Call For Speakers & Prospectus For Sponsors <http://www.openstack.org/blog/2012/10/emea-openstack-day-call-for-speakers-…> EMEA OpenStack Day is happening Wednesday, December 5, 2012 in London. You can find out more details about the event on the OpenStack Day EventBrite <http://emeaopenstackday2.eventbrite.com/> page. Nominations are open for speaker presentations. The deadline for speaker submissions is November 9, 2012. The sponsor prospectus <http://www.openstack.org/assets/EMEA-sponsorship-prospectus-london-12-5-201…> is now available online. There are five available event sponsor packages. Multifactor Auth and Keystone <http://adam.younglogic.com/2012/10/multifactor-auth-and-keystone/> The topic of how to enforce multifactor authentication with Keystone tokens came up often during the Design Summit in San Diego. Adam Young <http://adam.younglogic.com/> wrote a summary of the discussions. Link to the blueprint. <https://blueprints.launchpad.net/keystone/+spec/multi-factor-authn> PKI tokens and Horizon <http://adam.younglogic.com/2012/10/pki-tokens-horizon/> With PKI, tokens have gone from 40 byte to 3000. This plus additional payload in Horizon means that they no longer fit inside an HTTP cookie. How do we deal with this? Tips and tricks * By Everett Toews <http://blog.phymata.com/>: Contributing OpenStack Support to jclouds <http://blog.phymata.com/2012/10/03/contributing-openstack-support-to-jcloud…> (Updated to Folsom) Upcoming Events * OpenStack China Tour: Xi'an <http://hui.csdn.net/MeetingInfo.aspx?mid=151> Nov 03, 2012 -- Xi'an, China Details <http://www.cyberport.hk/campaign/edm/speaker/edm.html> * The Cloud is Open <http://www.cyberport.hk/campaign/edm/speaker/edm.html> Nov 06, 2012 -- Hong Kong Details <http://www.cyberport.hk/campaign/edm/speaker/edm.html> * Hungary User Group Meeting <http://www.meetup.com/OpenStack-Hungary-Meetup-Group/events/88548072/> Nov 13, 2012 -- Budapest, Hungary Details <http://www.meetup.com/OpenStack-Hungary-Meetup-Group/events/88548072/> * Swiss OpenStack user group meeting <http://www.meetup.com/zhgeeks/events/82917082/> Nov 15, 2012 -- Zürich, CH Details <http://www.meetup.com/zhgeeks/events/82917082/> * Australian OpenStack User Group -- Brisbane Technical Meetup <http://aosug.openstack.org.au/> Nov 20, 2012 -- Brisbane and other cities Details <http://aosug.openstack.org.au/> * OpenStack in action! <http://openstackinaction3theopenrevolution.eventbrite.com/> Nov 29, 2012 -- Paris, France Register <http://openstackinaction3theopenrevolution.eventbrite.com/> * EMEA OpenStack Day <http://www.openstack.org/> Dec 05, 2012 -- London Details <http://www.openstack.org/> Other news * Submit your presentation for the first Australian linux.conf.au OpenStack miniconf <http://firedaemon.wufoo.com/forms/z7x2p1/> * libvirt 1.0.0 release and 7th birthday <http://berrange.com/posts/2012/11/02/announce-libvirt-1-0-0-release-and-7th…> * Video: How Cisco Webex deploys OpenStack Private Cloud into Production <http://www.mirantis.com/blog/cisco-webex-mirantis-openstack-private-cloud-p…> * Mirantis brings OpenStack Cloud to Open Storage Summit 2012 <http://www.mirantis.com/blog/mirantis-brings-openstack-cloud-to-open-storag…> * OpenStack Project Meeting: skipped this week Welcome new contributors Celebrating the first patches submitted this month by: Melanie Witt, Yahoo! * Matthias Runge, RedHat * long-wang, CS2C * Rainya Mosher, Rackspace * James Page, Ubuntu * Pedro Navarro Perez, * Gerardo Porras, Yahoo! * Guang-yee, HP * Davanum Srinivas * Sathish Nagappan, Nebula * galstrom21, Rackspace * David Kang, ISI * Andrea Rosa, HP * jking-6, Internap * sathish-nagappan, Nebula * Alex Handle * Dan Radez, RedHat * Michael H Wilson * Jolyon Brown * Derrick J. Wippler * boden, IBM /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

OpenStack Community Weekly Newsletter (Oct 19-26)
by Stefano Maffulli 26 Oct '12

26 Oct '12

Highlights of the week More coverage of OpenStack Summit We've all been catching some air this week, it seems. Some more reports from the community: * SDKs and an OpenStack Grizzly Summit Wrap Up <http://blog.phymata.com/2012/10/22/sdks-and-an-openstack-grizzly-summit-wra…> * Back from San Diego OpenStack Summit <http://maffulli.net/2012/10/20/back-from-san-diego-openstack-summit/> * OpenStack Design Summit -- wrap-up and links <http://www.rhonabwy.com/wp/2012/10/20/openstack-design-summit-wrap-up-and-l…> * Swift @ OpenStack Summit 2012 <http://www.zmanda.com/blogs/?p=971> * Feedback from Design Summit in the first part of the Project meeting log <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-10-23-21.…> * OpenStack Summit Beach Clean Up <http://www.openstack.org/blog/2012/10/openstack-summit-beach-clean-up/> with great pictures Inside Synaps, a CloudWatch-like implementation for OpenStack <http://julien.danjou.info/blog/2012/openstack-synaps-exploration> A few days ago, Samsung <http://www.samsung.com/> released the source code of Synaps <https://github.com/spcs/synaps>, an implementation of the Amazon Web Service CloudWatch API <http://aws.amazon.com/cloudwatch/> for OpenStack <http://openstack.org/>. Julien Danjou <http://julien.danjou.info/blog/>, a contributor to the Ceilometer <http://launchpad.net/ceilometer> project, gives a look at this project and how it could overlap with Ceilometer or other projects like Heat <http://www.heat-api.org/>. Why OpenStack doesn't need a Linus Torvalds <http://fnords.wordpress.com/2012/10/25/why-openstack-doesnt-need-a-linus-to…> As comparing OpenStack with Linux becomes an increasingly popular exercise <http://www.devx.com/blog/is-openstack-the-linux-of-cloud.html>, it's only natural that people and press articles start to ask where the Linus of OpenStack is, or who the Linus of OpenStack <http://www.networkworld.com/news/2012/102412-openstack-linus-263659.html?hp…> should be. This assumes that technical leaders could somehow be appointed in OpenStack. This assumes that the single dictator model is somehow reproducible or even desirable. And this assumes that the current technical leadership in OpenStack is somehow lacking. Thierry Carrez thinks all those three assumptions are wrong. Preauthorization in Keystone <http://adam.younglogic.com/2012/10/preauthorization-in-keystone/> Sometimes you need to authorize a service to perform an action on your behalf. Often, that action takes place long after any authentication token you can provide would have expired. Currently, the only mechanism in Keystone that people can use is to share credentials. Adam Young <http://adam.younglogic.com/> argues: We can do better. New wiki page: Software Development Kits <http://wiki.openstack.org/SDKs> SDKs are a vital part of any ecosystem and we need to start treating them as such in OpenStack. To do so we need to raise the profile and legitimacy of SDKs that support OpenStack. Heat version 7 released <http://markmail.org/message/teb4mvtru6ismk7a> Heat allows you to launch AWS CloudFormation templates on OpenStack. CloudFormation is a programmable interface and templating system for orchestrating multiple cloud applications. This version adds an OpenStack-native ReST API. Tips and tricks * By Grid Dynamics OpenStack Team <http://openstackgd.wordpress.com/>: OpenStack Migration from Diablo to Essex <http://openstackgd.wordpress.com/2012/10/20/435/> * By Mirantis <http://www.mirantis.com/>: Making the most of your application performance on OpenStack Cloud <http://www.mirantis.com/blog/making-most-of-openstack-compute-performance/> Upcoming Events * OpenStack China Tour <http://hui.csdn.net/MeetingInfo.aspx?mid=141> Oct 27, 2012 -- Chengdu Details <http://hui.csdn.net/MeetingInfo.aspx?mid=141> * Swiss OpenStack user group meeting <http://www.meetup.com/zhgeeks/events/82917082/> Nov 15, 2012 -- Zürich, CH Details <http://www.meetup.com/zhgeeks/events/82917082/> * OpenStack in action! <http://openstackinaction3theopenrevolution.eventbrite.com/> Nov 29, 2012 -- Paris, France Register <http://openstackinaction3theopenrevolution.eventbrite.com/> * EMEA OpenStack Day <http://www.openstack.org/> Dec 05, 2012 -- London Details <http://www.openstack.org/> Other news * OpenStack Security Group <http://wiki.openstack.org/GrizzlyReleaseSchedule> * Grizzly Release Schedule <http://wiki.openstack.org/GrizzlyReleaseSchedule> published * OpenStack Project Meeting: summary <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-10-23-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-10-23-21.…>. /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment. /

1 0

OpenStack Community Weekly Newsletter (Oct 12-19)
by Stefano Maffulli 19 Oct '12

19 Oct '12

Highlights of the week Coverage of OpenStack Summit This was a busy week for all of OpenStack members. A few reports from the community: * OpenStack Summit: Day 1 <http://www.openstack.org/blog/2012/10/openstack-summit-day-1/> * OpenStack Summit Day 1 Blog <http://dell.to/SXfQsh> * A list of announcements from day 1 <http://nikiacosta.tumblr.com/post/33651664399/openstack-design-summit-and-c…> * From the Ground at the OpenStack Summit <http://www.openstack.org/blog/2012/10/from-the-ground-at-the-openstack-summ…> * Keynotes Recap from Day 2: OpenStack in production <http://www.openstack.org/blog/2012/10/keynotes-recap-from-day-2-openstack-i…> * Keynote Recap, Day 2: Why We Do What We Do <http://www.openstack.org/blog/2012/10/keynote-recap-day-2-why-we-do-what-we…> * OpenStack Summit Day 2 Blog <http://dell.to/P8GyPG> * OpenStack Summit Day 3 Blog <http://dell.to/T0V0DT> * OpenStack Summit Closing Thoughts <http://en.community.dell.com/dell-blogs/dellsolves/b/weblog/archive/2012/10…> Collaboration in Action: Weaving Proven Tech Into OpenStack's Fabric <http://insights.wired.com/profiles/blogs/collaboration-in-action-weaving-pr…> The story of OpenStack community's collaboration at the Design Summit to make better clouds as told by Alex Glikson, leading a research group at IBM Haifa Research Lab. OpenStack Document Translation Guide <http://wiki.openstack.org/Documentation/Translation> OpenStack <http://wiki.openstack.org/OpenStack> uses Transifex to manage translations. OpenStack <http://wiki.openstack.org/OpenStack> Manuals are in DocBook <http://wiki.openstack.org/DocBook> format. We slice the documents into short statements, then use Transifex to manage the translation process, and finally converge the translated content into a new copy of DocBook <http://wiki.openstack.org/DocBook>, which will used to generate HTML and PDF versions. The easiest way to contribute to OpenStack is to start by translating the manuals. Getting started is super easy. Tips and tricks * By Citrix: Upload custom images to a XenServer powered OpenStack Cloud <http://blogs.citrix.com/2012/10/17/upload-custom-images-to-a-xenserver-powe…> * By Mirantis: Integrating OpenStack Cloud Nova Volume storage with Isilon <http://www.mirantis.com/blog/openstack-nova-volume-integration-with-isilon/> * By Chmouel: Emacs and nosetests <http://blog.chmouel.com/2012/10/14/emacs-and-nosetests/> * By Alessio Ababilov: OpenStack EPEL: the Dependency Purgatory <http://openstackgd.wordpress.com/2012/10/14/432/> Upcoming Events * Swiss OpenStack user group meeting <http://www.meetup.com/zhgeeks/events/82917082/> Nov 15, 2012 -- Zürich, CH Other news * As Nimbula joins OpenStack, a look at their cloud orchestration <http://www.mirantis.com/blog/nimbula-cloud-orchestration-director-openstack/> * Introducing the Rackspace Developer Relations Group and open cloud SDKs <http://blog.phymata.com/2012/10/15/introducing-the-rackspace-drg-and-sdks/> * How to Make Money on OpenStack | The Presentation Deck <http://www.mirantis.com/blog/how-to-make-money-on-openstack/> * To get OpenStack Cloud, get this: developers want Serverless Computing <http://www.mirantis.com/blog/openstack-cloud-serverless-computing-developer…> * OpenStack Foundation Board Meeting: summary <http://lists.openstack.org/pipermail/foundation/2012-October/001195.html> from Executive Director Soundtrack of the week 'Cloud Anthem' by Dope'n'Stack <http://www.dopenstack.com/> /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

OpenStack Community Weekly Newsletter (Oct 5-12)
by Stefano Maffulli 12 Oct '12

12 Oct '12

Highlights of the week Full steam towards the OpenStack Summit Fall 2012 now SOLD OUT <http://www.openstack.org/summit/san-diego-2012/> Whether you want to build the software, run it, grow the community or just learn more about it, there will be content, workshops and design sessions for you to attend at the OpenStack Summit, Oct 15-18 in San Diego. The agenda is complete <http://openstacksummitfall2012.sched.org/>. Stick around Friday for the first OpenStack service day, a 1/2 day beach cleanup <https://openstack-beach-cleanup.eventbrite.com/>. Grizzly Design Summit schedule posted <http://fnords.wordpress.com/2012/10/10/grizzly-design-summit-schedule-poste…> Aside from the Grizzly Design Summit <http://wiki.openstack.org/Summit/Grizzly> sessions, there will be also a room for an *Unconference*, open from Tuesday to Thursday. You can grab a 40-min slot there to present anything related to OpenStack! We'll also have 5-min *Lightning talks* after lunch on Monday-Wednesday where you can talk about anything you want. There will be a board posted on the Summit floor, first-come-first-served. Participating Remotely to OpenStack Summit 2012 <http://www.openstack.org/blog/2012/10/participating-remotely-to-openstack-s…> If you can't make it to San Diego but you still want to participate in the sessions that will shape the future roadmap of OpenStack 'Grizzly' you can join the live audio streaming events on Webex. Kindly donated by Cisco Webex team (users of OpenStack themselves <http://openstacksummitfall2012.sched.org/event/54ea0d2c841925ba397dea8aece6…>), the Webex session will run for the whole day from 9:30am to 6:00pm for each of the rooms Emma AB <http://openstacksummitfall2012.sched.org/venue/Emma%20AB>, Emma C <http://openstacksummitfall2012.sched.org/venue/Emma%20C>, Windsor BC <http://openstacksummitfall2012.sched.org/venue/Windsor%20BC>, Annie AB <http://openstacksummitfall2012.sched.org/venue/Annie%20AB> where the Design Summit <http://openstacksummitfall2012.sched.org/overview/type/design+summit> will happen. 8 OpenStack Questions? Answered. <http://www.mirantis.com/blog/8-openstack-questions-answered/> /GigaOm/'s Barb Darrow intrigued the cloud community with her 8 questions about OpenStack <http://gigaom.com/cloud/top-8-questions-for-the-openstack-summit/> as the next summit approaches. Boris Renski didn't resist answering to all of them. How Sina Contributes to OpenStack <http://www.openstack.org/blog/2012/10/how-sina-contributes-to-openstack/> Sina keeps increasing its investments on OpenStack: not only code contributions for theFolsom release but also promotion of the project all across China and StackLab.org <http://StackLab.org/> (since trystack.org is not accessible from China). XenServer 6.1, XCP 1.6 and OpenStack Folsom <http://blogs.citrix.com/2012/10/10/xenserver-6-1-xcp-1-6-and-openstack-fols…> In other words, what Citrix contributed to Folsom: lots of nice things. How swift is your Swift? Benchmarking OpenStack Swift. <http://www.zmanda.com/blogs/?p=947> The OpenStack Swift project has been developing at a tremendous pace. The version 1.6.0 was released in August followed by 1.7.4 (Folsom <http://wiki.openstack.org/ReleaseNotes/Folsom>) just after two months! In these two recent releases, many important features have also been implemented, for example the optimization for using SSD, object versioning, StatsD logging and much more -- many of these features have significant implications for performance planning for the cloud builders and operators. Zmanda talks about benchmarks for Swift. What prevents you from becoming a contributor to OpenStack. <http://syedarmani.blogspot.com/2012/09/how-to-start-contributing-to-opensta…> Syed Armani asked to participants to Indian OpenStack user group meetings what prevents them to become contributors. Interesting findings, we may want to expand the survey. Tips and tricks * By Mirantis <http://www.mirantis.com/>: Integrating OpenStack Nova-network with Infoblox IP Address Management <http://www.mirantis.com/blog/openstack-nova-network-integration-infoblox-ad…> * By Mirantis <http://www.mirantis.com/>: Configuring a multi-region cluster for cloud object storage with OpenStack Swift <http://www.mirantis.com/blog/configuring-multi-region-cluster-openstack-swi…> * By Sébastien Han <http://sebastien-han.fr/>: Delete a VM in error state (Folsom) <http://sebastien-han.fr/blog/2012/10/08/delete-a-vm-in-error-state-folsom/> * By Boden Russell <http://pipes.yahoo.com/pipes/pipe.info?_id=8f41411877dcf711f49be866d9c7b60e>: OpenStack Keystone Workflow & Token Scoping <https://www.ibm.com/developerworks/mydeveloperworks/blogs/e93514d3-c4f0-4aa…> Upcoming Events * OpenStack Summit <http://openstack.org/> Oct 15 -- 18, 2012 -- San Diego, CA * Swiss OpenStack user group meeting <http://www.meetup.com/zhgeeks/events/82917082/> Nov 15, 2012 -- Zürich, CH Other news * OpenStack Cloud Folsom Webcast: Followup on your questions <http://openstackgd.wordpress.com/> * Grid Dynamics OpenStack Team <http://openstackgd.wordpress.com/>: Altai v1.0.1 is outWelcome To OpenStack Nation (Delhi NCR) <http://syedarmani.blogspot.com/2012/09/welcome-to-openstack-nation-delhi-nc…> * [Ceilometer] Release 0.1 (Folsom) <http://markmail.org/message/nccxg3m7aokvsgdq> * OpenStack Nova, Keystone and Horizon 2012.1.3 released <http://markmail.org/message/yqvid5aob2kog2lg> * OpenStack Project Meeting 2012-10-09: Summary <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-10-09-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-10-09-21.…>. Chart of the week Evolution of web traffic on openstack.org in the 6 months period, from April-September 2012 compared to the previous period October 2011-March 2012. <http://www.openstack.org/blog/wp-content/uploads/2012/10/openstackorg-folso…> /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

[ANNOUNCE] OpenStack Nova, Keystone and Horizon 2012.1.3 released
by Mark McLoughlin 12 Oct '12

12 Oct '12

Hey, In the time since the Essex release, we have been busy selectively back-porting bugfixes to the stable/essex branch according to our "safe source of high-impact fixes" criteria documented here: http://wiki.openstack.org/StableBranch We're happy to announce the 2012.1.3 release, the latest in the series of releases to make available the bugfixes from stable/essex. These releases are bugfix updates to Essex and are intended to be relatively risk free with no intentional regressions or API changes. The list of bugs fixed can be seen here: https://launchpad.net/nova/+milestone/2012.1.3 https://launchpad.net/keystone/+milestone/2012.1.3 https://launchpad.net/horizon/+milestone/2012.1.3 Please read (and add to!) the release notes at: http://wiki.openstack.org/ReleaseNotes/2012.1.3 This release is the last planned release of Essex Nova, Keystone and Horizon. There may be a further release of Essex Glance to resolve a serious issue with Diablo to Essex migrations. Enjoy! Mark.

1 0

OpenStack Community Weekly Newsletter (Sep 28-Oct 5)
by Stefano Maffulli 05 Oct '12

05 Oct '12

Highlights of the week Full steam towards the OpenStack Summit Fall 2012 <http://www.openstack.org/summit/san-diego-2012/> Whether you want to build the software, run it, grow the community or just learn more about it, there will be content, workshops and design sessions for you to attend at the OpenStack Summit, Oct 15-18 in San Diego. Registration still open <http://openstacksummitfall2012.eventbrite.com/>, and the agenda (almost) complete <http://openstacksummitfall2012.sched.org/>. Stick around Friday for the first OpenStack service day, a 1/2 day beach cleanup <https://openstack-beach-cleanup.eventbrite.com/>. Contributing OpenStack Support to jclouds <http://blog.phymata.com/2012/10/03/contributing-openstack-support-to-jcloud…> jclouds <http://www.jclouds.org/> is a popular cross-cloud toolkit that covers an impressive number of public and private cloud providers. There are lots of advantages for both projects to help each other. Read the article Everett Toews <http://blog.phymata.com/> wrote to get started contributing OpenStack support to jclouds. Tracking OpenStack adoption / Discussion at Summit <http://markmail.org/message/5gplkacmj5ydz2f3> One of the objectives of the OpenStack Foundation is to "Make OpenStack the ubiquitous cloud operating system". In order to reach that objective the Foundation needs to understand more about the usage of the OpenStack software. OpenStack distributions are requested to participate in this conversation at the OpenStack Design Summit <http://summit.openstack.org/cfp/details/64>. Providing a Unified View of OpenStack Projects <http://www.openstack.org/blog/2012/09/providing-a-unified-view-of-openstack…> Want to find answers to questions like: who's contributing to that particular feature of OpenStack? What is that developer working on? How many work hours/lines of code went into adding that feature/blueprint? What are users saying about OpenStack? Watch the recordings of the webinar <http://youtu.be/IFHFkwABEzc> and provide feedback answering the four simple questions in the survey <https://www.surveymonkey.com/s/78JXGLC>. Don't miss the talk on Wednesday, October 17 in San Diego <http://openstacksummitfall2012.sched.org/event/a5194145c6d2667d3e9d83a5d012…>. Security Advisory * CVE-2012-4456 : Some actions in Keystone admin API do not validate token <http://secstack.org/2012/10/cve-2012-4456-some-actions-in-keystone-admin-ap…> * CVE-2012-4457 : Token authorization for a user in a disabled tenant is allowed <http://secstack.org/2012/10/cve-2012-4457-token-authorization-for-a-user-in…> Tips and tricks * By SwiftStack Team <http://swiftstack.com/>: (Un)Official Party Guide for the OpenStack Summit in San Diego 2012 <http://swiftstack.com/blog/2012/10/04/parties-at-the-openstack-summit/> * By Mate Lakat <http://blogs.citrix.com/>: Convert a raw image to XenServer -- VHD <http://blogs.citrix.com/2012/10/04/convert-a-raw-image-to-xenserver-vhd/> * By Ryan Lane <http://ryandlane.com/blog>: Extending a flatdhcp network the hard way <http://ryandlane.com/blog/2012/10/03/extending-a-flatdhcp-network-the-hard-…> Upcoming Events * Help needed to organize the OpenStack devroom for *FOSDEM* 2013 <http://markmail.org/message/7ridfk4vgilz7slj> * OpenStack Summit <http://openstack.org/> Oct 15 -- 18, 2012 -- San Diego, CA * Swiss OpenStack user group meeting <http://www.meetup.com/zhgeeks/events/82917082/> Nov 15, 2012 -- Zürich, CH Other news * OpenStack China Tour #2 Shenzhen <http://www.openstack.org/blog/2012/09/openstack-china-tour-2-shenzhen/>Report from the second stop of OpenStack China Tour, Shenzhen <http://hui.csdn.net/MeetingInfo.aspx?mid=135> * Andrew Hutchings <http://www.linuxjedi.co.uk/search/label/openstack> gave a keynote to O'Reilly Velocity Europe titled: Openstack -- Coding at Scale Keynote <http://www.linuxjedi.co.uk/2012/10/openstack-coding-at-scale-keynote.html> * Ceilometer release status 2012-10-05 <http://markmail.org/message/xys4xmfe3pn5c3f5> * What's up doc? Oct 3 2012 <http://markmail.org/message/sxlh3gykzd3cy4ar> News from Doc Land, "where grammarians reign and roam" * Motion to validate Ceilometer's application as incubated project <http://markmail.org/message/jdjziekorrmfv4v3> * Happy Birthday Hastexo! One year in! <http://www.hastexo.com/blogs/florian/2012/10/04/one-year> * OpenStack Project Meeting 2012-10-02: Summary <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-10-02-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2012/project.2012-10-02-21.…> /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

[OpenStack-announce] python-cinderclient 1.0.0 released to PyPi
by John Griffith 01 Oct '12

01 Oct '12

All, To go along with last weeks Folsom release of Cinder we've also released 1.0.0 of python-cinderclient to PyPi. This will sync up needed changes in cinderclient with additions that were made in Cinder over the past few weeks. Thanks, John

1 0

[OSSA 2012-015] Some actions in Keystone admin API do not validate token (CVE-2012-4456)
by Russell Bryant 28 Sep '12

28 Sep '12

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenStack Security Advisory: 2012-015 CVE: CVE-2012-4456 Date: September 28, 2012 Title: Some actions in Keystone admin API do not validate token Impact: High Reporter: Jason Xu Products: Keystone Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2 development milestone) Description: Jaxon Xu reported a vulnerability in Keystone. Two admin API actions did not require a valid token. The first was listing roles for a user. The second was the ability to get, create, and delete services. Folom Fixes: (Included in 2012.2) http://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb… http://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147… Essex Fixes: (Included in 2012.1.2) http://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c… http://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a… References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4456 https://bugs.launchpad.net/keystone/+bug/1006815 https://bugs.launchpad.net/keystone/+bug/1006822 - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBmDcYACgkQFg9ft4s9SAam7wCgpJ6b7dcF/vZab3zTcNr0V84u k2QAnAzwGx0H69iw6gVQApaCnd9V1lQk =xR0F -----END PGP SIGNATURE-----

1 0

[OSSA 2012-016] Token authorization for a user in a disabled tenant is allowed (CVE-2012-4457)
by Russell Bryant 28 Sep '12

28 Sep '12

OpenStack Security Advisory: 2012-016 CVE: CVE-2012-4457 Date: September 28, 2012 Title: Token authorization for a user in a disabled tenant is allowed Impact: High Reporter: Rohit Karajgi (NTT Data) Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-3 development milestone) Description: Rohit Karajgi reported a vulnerability in Keystone. It was possible to get a token that is authorized for a disabled tenant. Once the token is established with authorization on the tenant, keystone would respond 200 OK to token validation requests from other OpenStack services, allowing the user to work with the tenant's resources. Folsom fix: (Included in 2012.2) http://github.com/openstack/keystone/commit/4ebfdfaf23c6da8e3c182bf3ec2cb2b… Essex fix: (Included in 2012.1.2) http://github.com/openstack/keystone/commit/5373601bbdda10f879c08af16988521… References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4457 https://bugs.launchpad.net/keystone/+bug/988920 -- Russell Bryant OpenStack Vulnerability Management Team

1 0