[Openstack-operators] [Openstack] [OSSA 2014-031] Admin-only network attributes may be reset to defaults by non-privileged users (CVE-2014-6414)

George Shuklin george.shuklin at gmail.com
Mon Sep 29 23:39:08 UTC 2014


On 09/30/2014 01:55 AM, Jeremy Stanley wrote:
> On 2014-09-29 21:59:32 +0300 (+0300), George Shuklin wrote:
>> Means no fixes for havana?
> [...]
>
> Yes, that should have just said "Versions: up to 2014.1.2" as havana
> is already past the end of support from the OpenStack vulnerability
> management team and stable branch managers. I'm presently working on
> the patches to our CI to tear out testing for it, and the
> stable/havana branches of all our projects will most likely be
> tagged "havana-eol" and deleted some time this week.
I think this is just _NOT_RIGHT_. I'm understand 'end of bugfixes' idea. 
Or software suites you perfectly, or you upgrade.

But security and data loss bugs are different from normal. They can hit 
even if user completely happy with software functionality and harm 
really badly not only user, but everyone around.

Saying 'you should upgrade your all infrastructure at least once every 
year' is bad idea. Lot of stuff changed at every new release and it not 
like 'upgrade nginx from 1.1 to 1.4 - no one will notice'. Openstack 
upgrade is always huge: changes in configuration, sometimes manual 
database migration, deprecation and 'new recommended' stuff in all places.

Security fixes should be continued at least twice longer than normal 
bugfixes.

This model (all important bugfixes released and than no any kind of 
security fixes at all) is just looking like yummy cake for 
'redistributors' - but no one know if they are capable to backport all 
new fixes or not...

You can say 'go and upgrade', but usually fresh version of openstack is 
just too raw and buggy. Example: bug in neutron (havana) which cause 
instances to loose networking on reboot was fixed year after initial 
release. And security support was dropped right after that release.







More information about the OpenStack-operators mailing list