Means no fixes for havana? Rather boring... On 09/29/2014 05:10 PM, Grant Murphy wrote: > OpenStack Security Advisory: OSSA-2014-031 > CVE: CVE-2014-6414 > Date: September 29, 2014 > > Title: Admin-only network attributes may be reset to defaults by non-privileged users > Reporter: Elena Ezhova (Mirantis) > Products: Neutron > Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2 > > Description: > Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network > attribute with a default value a non-privileged user may reset admin-only network > attributes. This may lead to unexpected behavior with security implications for > operators with a custom policy.json, or in some extreme cases network outages > resulting in denial of service. All deployments using neutron networking are > affected by this flaw. > > Juno (development branch) fix: > https://review.openstack.org/114531 > > Icehouse fix: > https://review.openstack.org/123849 > > Notes: > This fix will be included in the Juno release 2014.2.0 and in > future 2014.1.3 release. > > References: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6414 > https://launchpad.net/bugs/1357379 > > -- > Grant Murphy > OpenStack Vulnerability Management Team > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack at lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140929/190ed497/attachment.html>