[neutron][operators][all][security-sig] Watch out for updates of stable/train and stable/stein releases in Neutron
fungi at yuggoth.org
Wed Nov 25 15:11:23 UTC 2020
On 2020-11-25 10:00:22 +0100 (+0100), Slawek Kaplonski wrote:
> On Wed, Nov 25, 2020 at 09:58:23AM +0100, Slawek Kaplonski wrote:
> > On Wed, Nov 25, 2020 at 08:47:03AM +0000, Tobias Urdin wrote:
> > > So to be clear in our case here, we are running 15.1.0 for
> > > neutron-server and 15.3.0 for neutron agents.
> > >
> > > That means that the agents does work but there is a security
> > > issue,as described regarding allowed address-pair, have I
> > > understood it correctly?
> > Yes, as it may have errors while applying SG rules.
> But one more thing. I'm not really sure if that is security issue
> TBH. By default neutron is dropping traffic to/from instances and
> You need to allow some kind of traffic by setting security group
> rules. So if rules will not be applied, some traffic will be
> dropped but nothing unwanted shouldn't be allowed.
I think maybe he was referring specifically to
https://launchpad.net/bugs/1867119 (which really should have been
marked as a duplicate of
https://launchpad.net/bugs/1793029 and the older one reopened
instead). In short, it describes an intended/expected behavior, and
any potential changes to make it less of a potential foot-cannon
were deemed in 1793029 to constitute an API break, so would not have
been safe to backport to stable branches. Instead the behavior was
highlighted with a warning here:
Probably if 1867119 had been redirected to 1793029 as a duplicate
and the discussion continued there, attempts to backport the "fix"
for it would have gotten shut down quickly, but that's all hindsight
now I suppose.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the openstack-discuss