[Openstack-operators] [Openstack] [OSSA 2014-031] Admin-only network attributes may be reset to defaults by non-privileged users (CVE-2014-6414)

Erik McCormick emccormick at cirrusseven.com
Mon Sep 29 23:48:02 UTC 2014 

I'm mostly a stalker on this list, but if anyone's input is welcome, then a
big fat +1 to George's comments from me. I just patched Bash versions from
EL 4 systems for Shellshock. The least we can do is patch one-ago versions
for vulnerabilities.

-Erik
On Sep 29, 2014 7:41 PM, "George Shuklin" <george.shuklin at gmail.com> wrote:

>
> On 09/30/2014 01:55 AM, Jeremy Stanley wrote:
>
>> On 2014-09-29 21:59:32 +0300 (+0300), George Shuklin wrote:
>>
>>> Means no fixes for havana?
>>>
>> [...]
>>
>> Yes, that should have just said "Versions: up to 2014.1.2" as havana
>> is already past the end of support from the OpenStack vulnerability
>> management team and stable branch managers. I'm presently working on
>> the patches to our CI to tear out testing for it, and the
>> stable/havana branches of all our projects will most likely be
>> tagged "havana-eol" and deleted some time this week.
>>
> I think this is just _NOT_RIGHT_. I'm understand 'end of bugfixes' idea.
> Or software suites you perfectly, or you upgrade.
>
> But security and data loss bugs are different from normal. They can hit
> even if user completely happy with software functionality and harm really
> badly not only user, but everyone around.
>
> Saying 'you should upgrade your all infrastructure at least once every
> year' is bad idea. Lot of stuff changed at every new release and it not
> like 'upgrade nginx from 1.1 to 1.4 - no one will notice'. Openstack
> upgrade is always huge: changes in configuration, sometimes manual database
> migration, deprecation and 'new recommended' stuff in all places.
>
> Security fixes should be continued at least twice longer than normal
> bugfixes.
>
> This model (all important bugfixes released and than no any kind of
> security fixes at all) is just looking like yummy cake for 'redistributors'
> - but no one know if they are capable to backport all new fixes or not...
>
> You can say 'go and upgrade', but usually fresh version of openstack is
> just too raw and buggy. Example: bug in neutron (havana) which cause
> instances to loose networking on reboot was fixed year after initial
> release. And security support was dropped right after that release.
>
>
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140929/517dd3fe/attachment.html>

More information about the OpenStack-operators mailing list