From daniel at preussker.net Tue Oct 8 09:23:06 2019 From: daniel at preussker.net (Daniel 'f0o' Preussker) Date: Tue, 8 Oct 2019 11:23:06 +0200 Subject: [openstack-announce] [OSSA-2019-005] Octavia Amphora-Agent not requiring Client-Certificate (CVE-2019-17134) Message-ID: ===================================================================== OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate ===================================================================== :Date: October 07, 2019 :CVE: CVE-2019-17134 Affects ~~~~~~~ - Octavia: >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 Description ~~~~~~~~~~~ Daniel Preussker reported a vulnerability in amphora-agent, running within Octavia Amphora Instances which allows unauthenticated access from the management network. This leads to information disclosure and also allows changes to the configuration of the Amphora via simple HTTP requests because cmd/agent.py gunicorn cert_reqs option is incorrectly set to True instead of ssl.CERT_REQUIRED. Patches ~~~~~~~ - https://review.opendev.org/686547 (Ocata) - https://review.opendev.org/686546 (Pike) - https://review.opendev.org/686545 (Queens) - https://review.opendev.org/686544 (Rocky) - https://review.opendev.org/686543 (Stein) - https://review.opendev.org/686541 (Train) Credits ~~~~~~~ - Daniel Preussker (CVE-2019-17134) References ~~~~~~~~~~ - https://storyboard.openstack.org/#!/story/2006660 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17134 Notes ~~~~~ - The stable/ocata and stable/pike branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From sean.mcginnis at gmx.com Wed Oct 16 14:17:34 2019 From: sean.mcginnis at gmx.com (Sean McGinnis) Date: Wed, 16 Oct 2019 09:17:34 -0500 Subject: [openstack-announce] OpenStack Train is officially released! Message-ID: <20191016141734.GA13004@sm-workstation> Hello OpenStack community, I'm excited to announce the final releases for the components of OpenStack Train, which conclude the Train development cycle. You will find a complete list of all components, their latest versions, and links to individual project release notes documents listed on the new release site. https://releases.openstack.org/train/ Congratulations to all of the teams who have contributed to this release! Our next production cycle, Ussuri, has already started. We will meet in Shanghai, China, November 6-8 at the Project Team Gathering to plan the work for the upcoming cycle. I hope to see you there! Thanks, Sean McGinnis and the Release Management team