From fungi at yuggoth.org Tue Aug 6 19:19:09 2019 From: fungi at yuggoth.org (Jeremy Stanley) Date: Tue, 6 Aug 2019 19:19:09 +0000 Subject: [openstack-announce] [OSSA-2019-003] Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433) Message-ID: <20190806191908.o52es6mbavyle2k4@yuggoth.org> ========================================================================== OSSA-2019-003: Nova Server Resource Faults Leak External Exception Details ========================================================================== :Date: August 06, 2019 :CVE: CVE-2019-14433 Affects ~~~~~~~ - Nova: <17.0.12,>=18.0.0<18.2.2,>=19.0.0<19.0.2 Description ~~~~~~~~~~~ Donny Davis with Intel reported a vulnerability in Nova Compute resource fault handling. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response and could include sensitive configuration or other data. Patches ~~~~~~~ - https://review.openstack.org/674908 (Ocata) - https://review.openstack.org/674877 (Pike) - https://review.openstack.org/674859 (Queens) - https://review.openstack.org/674848 (Rocky) - https://review.openstack.org/674828 (Stein) - https://review.openstack.org/674821 (Train) Credits ~~~~~~~ - Donny Davis from Intel (CVE-2019-14433) References ~~~~~~~~~~ - https://launchpad.net/bugs/1837877 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14433 Notes ~~~~~ - The stable/ocata and stable/pike branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy. -- Jeremy Stanley OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: From fungi at yuggoth.org Thu Aug 29 14:41:32 2019 From: fungi at yuggoth.org (Jeremy Stanley) Date: Thu, 29 Aug 2019 14:41:32 +0000 Subject: [openstack-announce] [OSSA-2019-004] Ageing time of 0 disables linuxbridge MAC learning (CVE-2019-15753) Message-ID: <20190829144132.kivzg435silxniui@yuggoth.org> ================================================================= OSSA-2019-004: Ageing time of 0 disables linuxbridge MAC learning ================================================================= :Date: August 29, 2019 :CVE: CVE-2019-15753 Affects ~~~~~~~ - Os-vif: >=1.15.0<1.15.2, 1.16.0 Description ~~~~~~~~~~~ James Denton with Rackspace reported a vulnerability in os-vif, the Nova/Neutron network integration library. A hard-coded MAC ageing time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding for non-local destinations which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. Patches ~~~~~~~ - https://review.opendev.org/678098 (Stein) - https://review.opendev.org/672834 (Train) Credits ~~~~~~~ - James Denton from Rackspace (CVE-2019-15753) References ~~~~~~~~~~ - https://launchpad.net/bugs/1837252 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15753 -- Jeremy Stanley, on behalf of the OpenStack VMT -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: