[Openstack-operators] [Openstack] [OSSA 2014-031] Admin-only network attributes may be reset to defaults by non-privileged users (CVE-2014-6414)
George Shuklin
george.shuklin at gmail.com
Mon Sep 29 23:39:08 UTC 2014
On 09/30/2014 01:55 AM, Jeremy Stanley wrote:
> On 2014-09-29 21:59:32 +0300 (+0300), George Shuklin wrote:
>> Means no fixes for havana?
> [...]
>
> Yes, that should have just said "Versions: up to 2014.1.2" as havana
> is already past the end of support from the OpenStack vulnerability
> management team and stable branch managers. I'm presently working on
> the patches to our CI to tear out testing for it, and the
> stable/havana branches of all our projects will most likely be
> tagged "havana-eol" and deleted some time this week.
I think this is just _NOT_RIGHT_. I'm understand 'end of bugfixes' idea.
Or software suites you perfectly, or you upgrade.
But security and data loss bugs are different from normal. They can hit
even if user completely happy with software functionality and harm
really badly not only user, but everyone around.
Saying 'you should upgrade your all infrastructure at least once every
year' is bad idea. Lot of stuff changed at every new release and it not
like 'upgrade nginx from 1.1 to 1.4 - no one will notice'. Openstack
upgrade is always huge: changes in configuration, sometimes manual
database migration, deprecation and 'new recommended' stuff in all places.
Security fixes should be continued at least twice longer than normal
bugfixes.
This model (all important bugfixes released and than no any kind of
security fixes at all) is just looking like yummy cake for
'redistributors' - but no one know if they are capable to backport all
new fixes or not...
You can say 'go and upgrade', but usually fresh version of openstack is
just too raw and buggy. Example: bug in neutron (havana) which cause
instances to loose networking on reboot was fixed year after initial
release. And security support was dropped right after that release.
More information about the OpenStack-operators
mailing list