- OpenStack-announce - lists.openstack.org

[OSSA 2013-024] Resource limit circumvention in Nova private flavors (CVE-2013-4278)
by Thierry Carrez 28 Aug '13

28 Aug '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-024 CVE: CVE-2013-4278 Date: August 28, 2013 Title: Resource limit circumvention in Nova private flavors Reporter: Ken'ichi Ohmichi (NEC) Products: Nova Affects: All versions Description: Ken'ichi Ohmichi from NEC reported that the fix for OSSA 2013-019 (CVE-2013-2256) was incomplete. Any tenant was still able to boot any other tenant's private flavors by guessing a flavor ID. This potentially allowed circumvention of any resource limits enforced through the os-flavor-access:is_public property. Havana (development branch) fix: https://review.openstack.org/#/c/42922/ Grizzly fix: https://review.openstack.org/#/c/43281/ Folsom fix: https://review.openstack.org/#/c/43296/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4278 https://bugs.launchpad.net/nova/+bug/1212179 Regards, - -- Thierry Carrez OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIbBAEBCAAGBQJSHfbsAAoJEFB6+JAlsQQjPUkP9i/41IQPecZ/1V7nsQLPWssp AUgP5tEwEUGVNGaMM6ptaQtQxrLD+aACi7z8zRZgJopHrDptbIckbRikeSxrzsLB eWQxynkFPhcjRQTFZOuoEwDdqYUFCr614uGUmCFomYTBIWEZS3ea5aN7PAO4fd62 6hsOHr6xcj7JcZY1GlVNZBcpWel9rvxcXroPrPqmecyDdSPCuiWj8QNiWQ8Y62Vy ZSOzHjyAWe32sqMSYp3zygdhpX1yacTVf76jDNw+FcLHkqFf4kRX7uJCCPFKNpIk 2nngSjWZEizIkinIc+mzt2vFKt7JMjCJsy7uLKIp9HsJzVN8qH0x6axe3nuMoliC xdzybOzlCfEOU+L1q0fVVAiuTnXqE562mnm7HchHiUpKHJRv+4hWwukOsy2Wv+aD TweNziKwmxYdakhEduql4BJ1/6Mqk+1014Q/uOAyO8iKra8JO9i/ZULvuJgQNIao oXdFCJoKItP+UouaZ4PrRwilwWgVu4rsRWL1STcHgnHorFrCJQ0iO/W9ofn+ft4z R2q3tBpJDaeorM2D/Q2VkzYvUzAEAa+BCh1CRxMCVIMh6VmSv40TzczmgrdSRUVj 7cKaxc0xiLiPOoYorWuL0A7RPkadOMk9SihmakX70UR5NyfoqdOoAYnl8xcKNaD8 MlxVcQfdPQMWbw6UltQ= =DGPB -----END PGP SIGNATURE-----

1 0

OpenStack Community Weekly Newsletter (Aug 10-23)
by Stefano Maffulli 24 Aug '13

24 Aug '13

Cast your vote for the presentation to be presented at OpenStack Summit, November 5-8, in Hong Kong <http://www.openstack.org/rate/> ???????????????????? ???????, ???????? <http://openstacksummitnovember2013.eventbrite.com/> Introducing the OpenStack Ambassador Program <http://www.openstack.org/blog/2013/08/ambassador-program/> OpenStack Community Manager Tom Fifield started the discussion on the formation of an OpenStack Ambassador Program, which aims to create a framework of community leaders to sustainably expand the reach of OpenStack around the world. We would like to recognize and further empower these community members to achieve the OpenStack mission, as well as provide more structure and resources to the growing community and user groups. Your feedback would be excellent! For more specifics on the program, and information about becoming an ambassador, stay tuned for the next post. Managing identities in the cloud <http://openstack-in-production.blogspot.com/2013/08/managing-identities-in-…> CERN has 11,000 physicists who use the lab's facilities including the central IT department resources. As with any research environment, there are many students, PhDs and other project members who join one of the experiments at CERN. They need to have computing accounts to access CERN's cloud but we also need to make sure these resources are handled correctly when they are no longer affiliated with the organisation. Why OpenStack Puppet modules did not have vacation <http://my1.fr/blog/why-openstack-puppet-modules-did-not-have-vacation/?utm_…> A lot of work has been done on Puppet modules lately. There is no doubt to say that puppet modules are designed for high-quality and best-practices configurations around an important community who takes care of those concepts. Yet another way to monitor OpenStack <http://my1.fr/blog/yet-another-way-to-monitor-openstack/?utm_source=rss&utm…> Emilien Macchi <http://my1.fr/blog> decided to write some useful scripts to check if every OpenStack service are running. He was not fully satisfied with current methods because he feels they lack some deepness. refined: 10 OpenStack Core Positions <http://robhirschfeld.com/2013/08/13/openstack-core-positions/> OpenStack Foundation Board member Rob Hirschfeld <http://robhirschfeld.com/> keeps iterating looking for a proposal to define "what is core" <http://robhirschfeld.com/2013/07/22/kicking-off-core/> in the context of OpenStack. This is a must-read for anybody interested in joining the meeting in San Francisco on Aug 27 <http://www.meetup.com/openstack/events/134495312/>. Tips 'n Tricks * By Adam Young <http://adam.younglogic.com/>: Deploying Keystone via Puppet on Fedora 19 <http://adam.younglogic.com/2013/08/deploying-keystone-via-puppet-on-f19/> * By Sébastien Han <http://sebastien-han.fr/>: Configure Ceph RBD caching on OpenStack Nova <http://sebastien-han.fr/blog/2013/08/22/configure-rbd-caching-on-nova/> * By Sébastien Han <http://sebastien-han.fr/>: Best localrc for DevStack <http://sebastien-han.fr/blog/2013/08/16/best-localrc-for-devstack/> * By Kenneth Hui <http://cloudarchitectmusings.com/>: OpenStack Compute For vSphere Admins, Part 5: Designing A Multi-hypervisor Cloud <http://cloudarchitectmusings.com/2013/08/22/openstack-compute-for-vsphere-a…> * By Sandro Mathys <http://www.blog.sandro-mathys.ch/search/label/OpenStack>: Install OpenStack Havana-2 from RDO on Fedora 19 and avoid the pitfalls <http://www.blog.sandro-mathys.ch/2013/08/install-rdo-havana-2-on-fedora-19-…> * By Lorin Hochstein <http://lorinhochstein.wordpress.com/>: Automated DevStack install inside of VirtualBox with Vagrant <http://lorinhochstein.wordpress.com/2013/08/17/automated-devstack-install-i…> * By John Bresnahan <https://tropicaldevel.wordpress.com/>: Preparing Fedora 19 for OpenStack Glance Development <https://tropicaldevel.wordpress.com/2013/08/14/preparing-fedora-19-for-open…> * By Mehdi Abaakouk <http://blog.sileht.net/>: Using a sharding/replicaSet mongodb with ceilometer <http://blog.sileht.net/using-a-shardingreplicaset-mongodb-with-ceilometer> * By Flavio Percoco <http://blog.flaper87.org/>: Using libgfapi to access Glusterfs Volumes in Nova <http://blog.flaper87.org/post/520b7ff00f06d37b7a766dc0/> * By Loïc Dachary <http://dachary.org/>: HOWTO install Ceph teuthology on OpenStack <http://dachary.org/?p=2204> * By ICCLab <http://www.cloudcomp.ch/>: OpenStack HA: why is Pacemaker such a slow recovery tool? <http://www.cloudcomp.ch/2013/08/openstack-ha-why-is-pacemaker-such-a-slow-r…> * By Mirantis <http://www.mirantis.com/>: Demo Video: Using Heat for Auto-scaling with OpenStack cloud <http://www.mirantis.com/blog/heat-autoscaling-in-action/> * By The Official Rackspace Blog <http://www.rackspace.com/blog>: OpenStack Nova-Scheduler And vSphere DRS <http://www.rackspace.com/blog/openstack-nova-scheduler-and-vsphere-drs/> * By Daniel P. Berrangé <https://www.berrange.com/>: Fine grained access control in libvirt using polkit <https://www.berrange.com/posts/2013/08/12/fine-grained-access-control-in-li…> Upcoming Events * Bangalore Meetup <http://www.meetup.com/Indian-OpenStack-User-Group/events/132218642/> Aug 24, 2013 -- Bangalore, India Details <http://www.meetup.com/Indian-OpenStack-User-Group/events/132218642/> * Primer Evento Grupo Venezolano OpenStack <https://plus.google.com/u/0/106856980692854321746/posts/bFpvMPqffp9> Aug 24, 2013 -- Caracas, Venezuela Details <https://plus.google.com/u/0/106856980692854321746/posts/bFpvMPqffp9> * 2nd OpenStack User Group Nordics meetup <http://www.meetup.com/OpenStack-User-Group-Nordics/>Sep 11, 2013 -- Kista, Stockholm Details <http://www.meetup.com/OpenStack-User-Group-Nordics/> * OpenStack In Action -- Powering IaaS Cloud <http://barcampbangalore.org/bcb/bcb14/openstack-in-action-powering-iaas-clo…>Sep 14, 2013 -- SAP Labs Whitefield, Bangalore Details <http://barcampbangalore.org/bcb/bcb14/openstack-in-action-powering-iaas-clo…> * Cloud Connect China <http://www.cloudconnectevent.cn/>, September 15-17 2013, Shanghai, China * LinuxCon/Cloud Open North America <http://events.linuxfoundation.org/events/cloudopen-north-america>, September 16-18 2013, New Orleans, LA, USA, * GigaOM Structure UK <http://event.gigaom.com/structure>, September 18-19 2013, London, England, UK * OpenStack India Day <http://openstackindia.wordpress.com/2013/08/14/openstack-india-day-2013-ann…> Sep 21, 2013 -- Bangalore Details <http://openstackindia.wordpress.com/2013/08/14/openstack-india-day-2013-ann…> * Hosting & Cloud Transformation Summit <http://na.hostingtransformation.com/>Sep 23 -- 25, 2013 -- Las Vegas, USA Details <http://na.hostingtransformation.com/> * OpenStack on Ales <http://openstack.onales.com/> Sep 30 -- Oct 01, 2013 -- Bend, OR Details <http://openstack.onales.com/> * Open World Forum (Paris) <http://www.openworldforum.com/>,October 3-5 2013, Paris, France * Gartner Symposium/IT Expo North America <http://www.gartner.com/technology/symposium/orlando/>, October 6-10 2013, Orlando, FL, USA, * OpenStack in action! -- The Canadian Chapter <https://openstackinactioncanada.eventbrite.com/> Oct 08, 2013 -- Montreal, Canada Details <https://openstackinactioncanada.eventbrite.com/> * Swift Hackathon <http://swifthackathon.eventbrite.com/> Oct 15 -- 17, 2013 -- Aust, TX Details <http://swifthackathon.eventbrite.com/> * LinuxCon/Cloud Open Europe <http://events.linuxfoundation.org/events/cloudopen-europe>, October 21-23 2013, Edinburgh, Scotland, UK * Cloud Connect <http://www.cloudconnectevent.com/chicago>, October 21-24 2013, Chicago, IL, USA * USENIX LISA <https://www.usenix.org/conference/lisa13>, November 3-8 2013, Washington DC, USA * OW2 Annual Conference <http://www.ow2.org/view/OW2con-2013/>, November 13-14 2013, Paris, France * INTEROP <http://www.interop.in/> Nov 20 -- 22, 2013 -- Mumbai, India Details <http://www.interop.in/> * Gartner Data Center Conference <http://www.gartner.com/technology/summits/na/data-center/>, December 9-12 2013, Las Vegas, NV, USA Reports from Previous Events * Slides from OpenStack in production <http://sebastien-han.fr/blog/2013/08/15/openstack-in-production-slides/> * OpenStack in Debian <http://www.enovance.com/fr/blog/5900/openstack-in-debian> * Wrap Up: Google+ Hangout with Puppet Labs <http://rafstack.tumblr.com/post/58158674229> Other News * Benchmark OpenStack Swift <http://www.enovance.com/fr/blog/5893/benchmark-openstack-swift> * OpenMic Spotlight: Gabriel Hurley <http://www.openstack.org/blog/2013/08/openmic-spotlight-gabriel-hurley/> * OpenMic Spotlight: Kyle Mestery <http://www.openstack.org/blog/2013/08/openmic-spotlight-kyle-mestery/> * The Fanatical Faces Of Rackspace Private Cloud: Joe Burke <http://www.rackspace.com/blog/the-fanatical-faces-of-rackspace-private-clou…> * The Fanatical Faces Of Rackspace Private Cloud: Tech Writer Karin Levenstein <http://www.rackspace.com/blog/the-fanatical-faces-of-rackspace-private-clou…> * OpenStack Community Meeting: Summary <http://eavesdrop.openstack.org/meetings/openstack_community/2013/openstack_…> and full logs <http://eavesdrop.openstack.org/meetings/openstack_community/2013/openstack_…> * OpenStack Project Meeting: Summary <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-08-20-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-08-20-21.…> Got answers? Ask OpenStack <https://ask.openstack.org/> is the go-to destination for OpenStack users. Interesting questions waiting for answers: previous week's: * How to troubleshoot a Swift Container running with a high CPU amount? <https://ask.openstack.org/en/question/4431/how-to-troubleshoot-a-swift-cont…> * Failed to mount filesystem: no operating system was found on this disk <https://ask.openstack.org/en/question/4409/failed-to-mount-filesystem-no-op…> * Is there a way of passing the language header to openstack REST API calls so that the message returned by openstack is localized? <https://ask.openstack.org/en/question/4346/is-there-a-way-of-passing-the-la…> * How to create the connection between OVS bridge and the linux bridge? <https://ask.openstack.org/en/question/4293/how-to-create-the-connection-bet…> * Realm Value need to be passed from horizon to get the complete list of available Idp's in Keystone ? <https://ask.openstack.org/en/question/4280/realm-value-need-to-be-passed-fr…> * Slow virtio network performance <https://ask.openstack.org/en/question/4240/slow-virtio-network-performance/> * Unable to configure baremetal for grizzly: DatabaseNotControlledError <https://ask.openstack.org/en/question/4237/unable-to-configure-baremetal-fo…> Welcome New Developers Is your affiliation correct? Check your profile in the OpenStack Foundation Members Database! * Jaime Gil de Sagredo Luna, StackOps * Joshua Hesketh * Oleg Gelbukh, Mirantis * Jiri Stransky, Red Hat * Steffen Gebert, None * Trevor Robert, Jr, Cisco * Pei Zhen, None * Sabari Kumar Murugesan, Vmware * Ignacio Barrio, Stackops * Charles V Bock, Intel * Jordan OMara, Red Hat * Sarah Novotny, Meteor Entertainment * Maksym Iarmak, Mirantis * Marton Kiss, Fremont Ltd * Petr Blaho, Red Hat * Ryan Hsu, Vmware * Alan Jiang, IBM * Zhang Guoqing, None * Hwbi * Abhijeet Malawade, NTT Data * Shuangtai Tian, Intel * Jake Liu, None * Vladislav Kuzmin, Mirantis * Nejc Saje, Xlab d.o.o. * Peter Mooshammer, None * Floren Llanos, None /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

[Swift] Swift 1.9.9 RC available
by John Dickinson 13 Aug '13

13 Aug '13

Today we have released Swift 1.9.1 (RC1). The tarball for the RC is at http://tarballs.openstack.org/swift/swift-milestone-proposed.tar.gz This release was initially prompted by a bug found by Peter Portante (https://bugs.launchpad.net/swift/+bug/1196932) and includes a patch for it. All clusters are recommended to upgrade to this new release. As always, you can upgrade to this version of Swift with no end-user downtime. In addition to the patch mentioned above, this release contains a few other important features: * The default worker count has changed from 1 to auto. The new default value will for workers in the proxy, container, account & object wsgi servers will spawn as many workers per process as you have cpu cores. * A "reveal_sensitive_prefix" config parameter was added to the proxy_logging config. This value allows the auth token to be obscured in the logs. * The Keystone middleware will now enforce that the reseller_prefix ends in an underscore. Previously, this was a recommendation, and now it is enforced. There are several other changes in this release. I'd encourage you to read the full changelog at https://github.com/openstack/swift/blob/master/CHANGELOG. On the community side, this release includes the work of 7 new contributors. They are: Alistair Coles (alistair.coles(a)hp.com) Thomas Leaman (thomas.leaman(a)hp.com) Dirk Mueller (dirk(a)dmllr.de) Newptone (xingchao(a)unitedstack.com) Jon Snitow (otherjon(a)swiftstack.com) TheSriram (sriram(a)klusterkloud.com) Koert van der Veer (koert(a)cloudvps.com) Thanks to everyone for your hard work. I'm very happy with where Swift is and where we are going together. --John

1 1

OpenStack Community Weekly Newsletter (Aug 2-9)
by Stefano Maffulli 10 Aug '13

10 Aug '13

Hong Kong Summit -- Registration, Call for Sponsors Now Open! <http://www.openstack.org/blog/2013/06/hong-kong-summit-registration-call-fo…> ???????????????????? ???????, ???????? <http://openstacksummitnovember2013.eventbrite.com/> DevStack in 1 minute <http://sebastien-han.fr/blog/2013/08/08/devstack-in-1-minute/> It can be as easy as it looks: step by step instructions by Sébastien Han <http://sebastien-han.fr/>. *OpenStack Compute For vSphere Admins <http://cloudarchitectmusings.com/2013/08/05/openstack-compute-for-vsphere-a…>* An ongoing series of posts by Kenneth Hui <http://cloudarchitectmusings.com/> about OpenStack for vSphere Admins. You can catch up on previous posts by following the links here for part 1 <http://cloudarchitectmusings.com/2013/06/24/openstack-for-vmware-admins-nov…>, part 2 <http://cloudarchitectmusings.com/2013/06/26/openstack-for-vmware-admins-nov…>, part 3 <http://cloudarchitectmusings.com/2013/07/09/openstack-compute-for-vsphere-a…> and part 4 <http://cloudarchitectmusings.com/2013/08/05/openstack-compute-for-vsphere-a…>. OpenStack's Test Driven Core <http://robhirschfeld.com/2013/08/08/openstacks-test-driven-core-its-where-i…> In helping drive OpenStack's "what is core" dialog <http://robhirschfeld.com/2013/08/06/core-community-dialogue/>, board member Rob Hirschfeld <http://robhirschfeld.com/> has reported a lot of viewpoints about what OpenStack is and what it should be <http://robhirschfeld.com/2013/07/22/making-openstack-meaningful/>. As a good steward of this process he has successfully managed to be an objective listener <http://web.missouri.edu/%7Ecampbellr/Leadership/chapter6.htm>. In the recent post in the series, he expresses his point of view. This is one of the most important conversations for the OpenStack Foundation and it's happening now. Flavors -- An English perspective <http://openstack-in-production.blogspot.com/2013/08/flavors-english-perspec…> OpenStack has the capability to define flavors of virtual machines, how many cores, swap, disk and memory. As a native UK English speaker, Tim Bell finds the term /flavor/ to already be a problem. In his post describing how flavors are used at CERN he appeals to the OpenStack technical committee to not accept any term which is not the same in US and UK English or to allow an alias. His post has lots of other interesting information, too. Non-Relational Database-as-a-Service in OpenStack <http://www.zerobanana.com/archive/2013/08/07#non-relational-trove> The OpenStack Technical Committee voted this week <http://eavesdrop.openstack.org/meetings/tc/2013/tc.2013-08-06-20.01.html> to expand the scope of the Trove <https://wiki.openstack.org/wiki/Trove> program, which is currently in incubation, to encompass non-relational as well as relational databases. Tips 'n Tricks * By John Bresnahan <https://tropicaldevel.wordpress.com/>: Download Modules In Nova <https://tropicaldevel.wordpress.com/2013/08/07/download-modules-in-nova/> * By Marconi's mongodb driver improvements <http://blog.flaper87.org/post/520172de0f06d356d434d61d/> * By Emilien Macchi <http://my1.fr/blog>: Yet another way to monitor OpenStack <http://my1.fr/blog/yet-another-way-to-monitor-openstack/?utm_source=rss&utm…> * By Steve Hardy <http://hardysteven.blogspot.com/search/label/openstack>: Heat Nested Resource Introspection <http://hardysteven.blogspot.com/2013/08/heat-nested-resource-introspection.…> * By The Official Rackspace Blog <http://www.rackspace.com/blog>: Architecting VMware vSphere For OpenStack <http://www.rackspace.com/blog/architecting-vmware-vsphere-for-openstack/> * By Christian Berendt <http://www.cberendt.de/>: Using Redis with Horizon <http://www.cberendt.de/2013/08/using-redis-with-horizon/?utm_source=rss&utm…> * By Michael Still <http://www.stillhq.com/>: Exploring a single database migration <http://www.stillhq.com/openstack/tips/000002.html> Upcoming Events * Openstack Bucharest Meeting <http://www.meetup.com/Openstack-Bucharest/events/123884092/> Aug 12, 2013 -- Bucharest, Romania Details <http://www.meetup.com/Openstack-Bucharest/events/123884092/> * Bangalore Meetup <http://www.meetup.com/Indian-OpenStack-User-Group/events/132218642/> Aug 24, 2013 -- Bangalore, India Details <http://www.meetup.com/Indian-OpenStack-User-Group/events/132218642/> * Primer Evento Grupo Venezolano OpenStack <https://plus.google.com/u/0/106856980692854321746/posts/bFpvMPqffp9> Aug 24, 2013 -- Caracas, Venezuela Details <https://plus.google.com/u/0/106856980692854321746/posts/bFpvMPqffp9> * 2nd OpenStack User Group Nordics meetup <http://www.meetup.com/OpenStack-User-Group-Nordics/>Sep 11, 2013 -- Kista, Stockholm Details <http://www.meetup.com/OpenStack-User-Group-Nordics/> * OpenStack on Ales <http://openstack.onales.com/> Sep 30 -- Oct 01, 2013 -- Bend, OR Details <http://openstack.onales.com/> * Swift Hackathon <http://swifthackathon.eventbrite.com/> Oct 15 -- 17, 2013 -- Aust, TX Details <http://swifthackathon.eventbrite.com/> * INTEROP <http://www.interop.in/> Nov 20 -- 22, 2013 -- Mumbai, India Details <http://www.interop.in/> Reports from Previous Events * HP Public Cloud OSCON Sessions -- Videos <https://blog.hpcloud.com/hp-public-cloud-oscon-sessions-videos> * Aug 6th OpenStack Foundation Board Meeting <http://blogs.gnome.org/markmc/2013/08/08/aug-6th-openstack-foundation-board…> * Google+ Hangout with Puppet Labs <http://rafstack.tumblr.com/post/57600686980/august-8-google-hangout-with-pu…> Other News * python-heatclient 0.2.4 released <http://lists.openstack.org/pipermail/openstack-announce/2013-August/000128.…> * heat-cfntools 1.2.5 released <http://lists.openstack.org/pipermail/openstack-announce/2013-August/000129.…> * python-novaclient 2.14.0 released <http://lists.openstack.org/pipermail/openstack-announce/2013-August/000125.…> * Open Mic Spotlight: Brad Topol <http://www.openstack.org/blog/2013/08/open-mic-spotlight-brad-topol/> * The Fanatical Faces Of Rackspace Private Cloud: Ryan Yard <http://www.rackspace.com/blog/the-fanatical-faces-of-rackspace-private-clou…> * Marconi's mongodb driver improvements <http://blog.flaper87.org/post/520172de0f06d356d434d61d/> * OpenStack Project Technical Lead Interview Series #7: Gabriel Hurley, OpenStack Horizon Project <http://www.mirantis.com/blog/openstack-project-technical-lead-interview-ser…> * OpenStack Project Meeting: Summary <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-08-06-21.…> and full logs <http://eavesdrop.openstack.org/meetings/project/2013/project.2013-08-06-21.…> * OpenStack Foundation Board official meeting minutes June 27 2013 <https://wiki.openstack.org/wiki/Governance/Foundation/27June2013BoardMinutes> * OpenStack Foundation Board meeting official summary <http://lists.openstack.org/pipermail/foundation/2013-August/001454.html> and Mark McLoughlin's notes <http://blogs.gnome.org/markmc/2013/08/08/aug-6th-openstack-foundation-board…> Security Advisories * Denial of Service using XML entities in Nova/Cinder extensions (CVE-2013-4179, CVE-2013-4202) <http://lists.openstack.org/pipermail/openstack-announce/2013-August/000133.…> * Denial of Service in Nova network source security groups (CVE-2013-4185) <http://lists.openstack.org/pipermail/openstack-announce/2013-August/000127.…> * Resource limit circumvention in Nova private flavors (CVE-2013-2256) <http://lists.openstack.org/pipermail/openstack-announce/2013-August/000126.…> * Swift Denial of Service using superfluous object tombstones (CVE-2013-4155) <http://lists.openstack.org/pipermail/openstack-announce/2013-August/000131.…> * Cinder LVM volume driver does not support secure deletion (CVE-2013-4183) <http://lists.openstack.org/pipermail/openstack-announce/2013-August/000130.…> Got answers? Ask OpenStack <https://ask.openstack.org/> is the go-to destination for OpenStack users. Interesting questions waiting for answers: * How Do I allow IP protocols other than TCP, UDP, or ICMP (such as GRE)through my security group? <https://ask.openstack.org/en/question/3888/how-do-i-allow-ip-protocols-othe…> * How should I use the VIF Isolation Rules with XenServer 6.2 and OpenStack? <https://ask.openstack.org/en/question/3869/how-should-i-use-the-vif-isolati…> * Adding Ubuntu Image to XenServer Powered Openstack filesystem already mounted <https://ask.openstack.org/en/question/3766/adding-ubuntu-image-to-xenserver…> * What other steps should I take with networking after adding a compute node? <https://ask.openstack.org/en/question/3703/what-other-steps-should-i-take-w…> * glance-api failed to start up with latest devstack <https://ask.openstack.org/en/question/3839/glance-api-failed-to-start-up-wi…> Welcome New Developers Is your affiliation correct? Check your profile in the OpenStack Foundation Members Database! * Jing Sun, IBM * Zhi kun Liu, IBM * ZhiQiang Fan, None * raiesmh08, ? * Toni Zehnder, ZHAW ICCLab * Yijing Zhang, None * Roman Verchikov, Mirantis * Noorul Islam K M, None * Teran McKinney, Rackspace * Mark Collier, OpenStack Foundation * Deepti Navale, Red Hat * Tracy Jones, VMware * Joe H. Rahme, Enovance /The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment./

1 0

OpenStack 2013.1.3 released
by Alan Pevec 09 Aug '13

09 Aug '13

Hello, The OpenStack Stable Maintenance team is happy to announce the release of the 2013.1.3 stable Grizzly release. We have been busy reviewing and accepting backported bugfixes to the stable/grizzly branches according to the criteria set at: https://wiki.openstack.org/wiki/StableBranch A total of 116 bugs have been fixed across all core projects. These updates to Grizzly and are intended to be relatively risk free with no intentional regressions or API changes. The list of bugs, tarballs and other milestone information for each project may be found on Launchpad: https://launchpad.net/cinder/grizzly/2013.1.3 https://launchpad.net/glance/grizzly/2013.1.3 https://launchpad.net/horizon/grizzly/2013.1.3 https://launchpad.net/keystone/grizzly/2013.1.3 https://launchpad.net/nova/grizzly/2013.1.3 https://launchpad.net/neutron/grizzly/2013.1.3 Release notes may be found on the wiki: https://wiki.openstack.org/wiki/ReleaseNotes/2013.1.3 In addition to core projects, we've also cut a 2013.1.3 stable release for both Heat and Ceilometer projects, closing another 15 bugs: https://launchpad.net/ceilometer/grizzly/2013.1.3 https://launchpad.net/heat/grizzly/2013.1.3 The freeze on the stable/grizzly branches will be lifted today as we begin working toward the 2013.1.4 release, planned for October 10 and managed by Adam Gandelman. Thanks, Alan

1 0

[OSSA 2013-023] Denial of Service using XML entities in Nova/Cinder extensions (CVE-2013-4179, CVE-2013-4202)
by Thierry Carrez 08 Aug '13

08 Aug '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-023 CVE: CVE-2013-4179, CVE-2013-4202 Date: August 8, 2013 Title: Denial of Service using XML entities in Nova/Cinder extensions Reporter: Grant Murphy (Red Hat) Products: Nova, Cinder Affects: Grizzly and later Description: Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in specific extensions, an unauthenticated attacker may still consume excessive resources on the Nova (CVE-2013-4179) or Cinder (CVE-2013-4202) API servers, resulting in a denial of service and potentially a crash. Only Nova setups making use of the security group extension in Grizzly are affected. Only Cinder setups making use of the backups or volume transfer API extension in Grizzly are affected. Havana (development branch) fixes: Nova: https://review.openstack.org/40879 Cinder: https://review.openstack.org/40881 Grizzly fixes: Nova: https://review.openstack.org/40880 Cinder: https://review.openstack.org/40883 Note: The Nova and Cinder Grizzly fixes will be included in the upcoming 2013.1.3 stable release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4202 https://launchpad.net/bugs/1190229 Regards, - -- Thierry Carrez OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJSA8K6AAoJEFB6+JAlsQQj05EP/Rq9FXVZJCNfXgCBEpeSgrh/ kaglidx9JMqnvxJd92M+KFHZrZgBazwH9ZwsD1i4zs64XP1KH2UbvXzlwfaCb3M0 5/9cbqocyHJAeOFpYPvQCz/TmsHVH7CgftNL474AGixyTXfaH745/zveABNIYhou aEpq3CxHOcNycCuPYj4FgcXZ7lf8Eu7vaVsNhXmk/qgWo+l6N4LYznHf6UxHMnHf fB7+ZcjMCZtfZHO/9LRmROiprHHX9CprWtTZX+RUNjTa38VzyEetXG50zCEIiI/S wsxAUSOA6tremYLeuNXZwRawLdpolzvhEt04GITa7AC8udnjXkvHyA1VUcAtysMT SP5abGWdKMibSVwOmJ6+YLVMMXpTn9ww5LD2yJrcRy+xXyD9k2ofq8VMY9P/DJ2w kEEEQaMtmmqYqoVZc/rLRjBNiGgvD58hxYtLEVMShgbkduAUgfWmBnsZ7zgbzY9X ZDUN3wYkEQk6UZepa4g4mIjTFM0PkqXNoCOl8q7xNpLNYpmbF5rheIeE1HjIglGq hbCWzxDJZtKjvd2MqtYlZGfTgjpPA6tEDC3vto8nfsHQqvZUxv/OKg6KSCIq/6UA wxUD952GPmhImN+UVYiFMuNufufb0EI/EkVsmPJm54siOeq/ZOYvEc44M6K++7ve 3MySqda3xPZMaZn8KTFz =XFeJ -----END PGP SIGNATURE-----

1 0

[OSSA 2013-022] Swift Denial of Service using superfluous object tombstones (CVE-2013-4155)
by Thierry Carrez 07 Aug '13

07 Aug '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-022 CVE: CVE-2013-4155 Date: August 7, 2013 Title: Swift Denial of Service using superfluous object tombstones Reporter: Peter Portante (Red Hat) Products: Swift Affects: All versions Description: Peter Portante from Red Hat reported a vulnerability in Swift. By issuing requests with an old X-Timestamp value, an authenticated attacker can fill an object server with superfluous object tombstones, which may significantly slow down subsequent requests to that object server, facilitating a Denial of Service attack against Swift clusters. Havana (development branch) fix: https://review.openstack.org/40643 Grizzly fix: https://review.openstack.org/40645 Folsom fix: https://review.openstack.org/40646 Note: The havana fix will be included in the upcoming Swift 1.9.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4155 https://bugs.launchpad.net/swift/+bug/1196932 Regards, - -- Thierry Carrez OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJSAmwaAAoJEFB6+JAlsQQjgbEP/2hCZIRuMQoMPCcPg1LzA2PR BIOGBII7jXTjc/ku5/E29kTL2GwtiHC6PLezXdlGQFcLdJV4wi8Tq4OtVwFDEhHz 8wIhFVzKyPP1N9kktWH80PXhYUVECffuhL3+GKGcIMkz8+BPUj5EKeEHAZpkVw+S bu37N3IB5kpBN2riNBo+7BciKK81fXvJh5QH9T10pee6VrQMYk+fyAITPD91Ft1S ramVEM+L9m0n4oDXSg9bTuKdACPxNqR1ftn3AIS2xJFNz0jeECuI6bV/6MPpCtds 0bVDjgZfidz3LDvY/1LsUKGSAkcVViWCxYqYgZYFnnnGKgopPcvOzGXM2zZ5EHMa ypciysUSJ/HC4jQpmqNBmHbaHHaWIhO5krVC4Soh2Kj4gA5YgUFi2ybKkKo/RLpm THHjgo8bfCVdnVZMt+BjkGGXvNenv3tsE8ByfEKWZ+AGf0CcZGih5ONtRRgLsiew vC4p0haonrHkzWqNusdtXZcEXdEQRmMlCWS0PO+pzSypKgI8I5Pg34IHrNjgk4fa inkSMLxYDTTtHWoeQoczL6MQ0UYrDZmmSlXO4U7FE69I0uMPYt5b0eLWG28YEF3T pe+fbm4qkpMZN11DvduMtswSro1BZq9zJrJLGFG9HdOXN7vrXc0bWVuykh6q31tv w1Tar2ybFkiV+huvn2zb =YWXH -----END PGP SIGNATURE-----

1 0

[OSSA 2013-021] Cinder LVM volume driver does not support secure deletion (CVE-2013-4183)
by Jeremy Stanley 07 Aug '13

07 Aug '13

OpenStack Security Advisory: 2013-021 CVE: CVE-2013-4183 Date: August 7, 2013 Title: Cinder LVM volume driver does not support secure deletion Reporter: Rongze Zhu (UnitedStack) Products: Cinder Affects: 2013.1 (Grizzly) and later Description: Rongze Zhu from UnitedStack reported a vulnerability in the Cinder LVM volume driver. The contents of LVM snapshots may not be cleared upon deletion even when secure deletes are configured, resulting in potential exposure of latent data to subsequent servers for other tenants. Only setups using LVMVolumeDriver are affected. Havana (development branch) fix: https://review.openstack.org/36506 Grizzly fix: https://review.openstack.org/39565 Notes: This fix is included in the havana-2 development milestone and will appear in a future 2013.1.3 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4183 https://launchpad.net/bugs/1198185 -- Jeremy Stanley OpenStack Vulnerability Management Team

1 0

heat-cfntools 1.2.5 released
by Steve Baker 07 Aug '13

07 Aug '13

The heat development community would like to announce the release of heat-cfntools version 1.2.5. heat-cfntools contains the tools that can be installed on Heat provisioned cloud instances to implement portions of CloudFormation compatibility. This release can be installed from the following locations: http://tarballs.openstack.org/heat-cfntools/heat-cfntools-1.2.5.tar.gz <http://tarballs.openstack.org/heat-cfntools/heat-cfntools-1.2.5.tar.gz> https://pypi.python.org/pypi/heat-cfntools/1.2.5 <https://pypi.python.org/pypi/heat-cfntools/1.2.5> Bugs fixed in this release: https://launchpad.net/heat-cfntools/+milestone/v1.2.5 <https://launchpad.net/heat-cfntools/+milestone/v1.2.5>

1 0

python-heatclient 0.2.4 released
by Steve Baker 07 Aug '13

07 Aug '13

The heat development community would like to announce the release of python-heatclient version 0.2.4. python-heatclient is a client library for Heat built on the Heat orchestration API. It provides a Python API (the heatclient module) and a command-line tool (heat). This release can be installed from the following locations: http://tarballs.openstack.org/python-heatclient/python-heatclient-0.2.4.tar… <http://tarballs.openstack.org/python-heatclient/python-heatclient-0.2.4.tar…> https://pypi.python.org/pypi/python-heatclient/0.2.4 <https://pypi.python.org/pypi/python-heatclient/0.2.4> Bugs fixed in this release: https://launchpad.net/python-heatclient/+milestone/v0.2.4 <https://launchpad.net/python-heatclient/+milestone/v0.2.4>

1 0