[Openstack-operators] [Openstack] [OSSA 2014-031] Admin-only network attributes may be reset to defaults by non-privileged users (CVE-2014-6414)

gustavo panizzo (gfa) gfa at zumbi.com.ar
Tue Sep 30 00:02:31 UTC 2014


icehouse will be supported 18 months IIRC

i don't have a link here. it was mentioned on Thierry presentation (mid cycle state of the project ) a few months ago

On September 30, 2014 7:39:08 AM GMT+08:00, George Shuklin <george.shuklin at gmail.com> wrote:
>
>On 09/30/2014 01:55 AM, Jeremy Stanley wrote:
>> On 2014-09-29 21:59:32 +0300 (+0300), George Shuklin wrote:
>>> Means no fixes for havana?
>> [...]
>>
>> Yes, that should have just said "Versions: up to 2014.1.2" as havana
>> is already past the end of support from the OpenStack vulnerability
>> management team and stable branch managers. I'm presently working on
>> the patches to our CI to tear out testing for it, and the
>> stable/havana branches of all our projects will most likely be
>> tagged "havana-eol" and deleted some time this week.
>I think this is just _NOT_RIGHT_. I'm understand 'end of bugfixes'
>idea. 
>Or software suites you perfectly, or you upgrade.
>
>But security and data loss bugs are different from normal. They can hit
>
>even if user completely happy with software functionality and harm 
>really badly not only user, but everyone around.
>
>Saying 'you should upgrade your all infrastructure at least once every 
>year' is bad idea. Lot of stuff changed at every new release and it not
>
>like 'upgrade nginx from 1.1 to 1.4 - no one will notice'. Openstack 
>upgrade is always huge: changes in configuration, sometimes manual 
>database migration, deprecation and 'new recommended' stuff in all
>places.
>
>Security fixes should be continued at least twice longer than normal 
>bugfixes.
>
>This model (all important bugfixes released and than no any kind of 
>security fixes at all) is just looking like yummy cake for 
>'redistributors' - but no one know if they are capable to backport all 
>new fixes or not...
>
>You can say 'go and upgrade', but usually fresh version of openstack is
>
>just too raw and buggy. Example: bug in neutron (havana) which cause 
>instances to loose networking on reboot was fixed year after initial 
>release. And security support was dropped right after that release.
>
>
>
>
>
>_______________________________________________
>OpenStack-operators mailing list
>OpenStack-operators at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-- 
Sent from mobile.
1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140930/40e6f829/attachment.html>


More information about the OpenStack-operators mailing list