On 2/18/21 8:49 AM, Jeremy Stanley wrote:
Please help the OpenStack Vulnerability Management Team by taking a look at the following report:
keystonemiddleware connections to memcached from neutron-server grow beyond configured values https://launchpad.net/bugs/1883659
Can it be exploited by a nefarious actor, and if so, how? Is it likely to be fixable in all our supported stable branches, respecting stable backport policy? What deployment configurations and options might determine whether a particular installation is susceptible? This is the sort of feedback we depend on to make determinations regarding whether and how to keep the public notified, so they can make informed decisions.
Thanks for doing your part to keep our users safe!
I ended up just closing this one for Oslo because it appears that using the oslo.cache backend actually fixes the bug. I also pushed a patch for a formerly private bug[0] that just bumps our minimum pyyaml version to avoid a vulnerability. I suspect everyone is already running newer versions of it, but if not now they know that they should. :-) Strangely, I don't remember getting an email notification about that bug. I thought coresec team members were notified about private security bugs. I guess I'll have to keep a closer eye on our bug list from now on. 0: https://bugs.launchpad.net/oslo.config/+bug/1839398