On 01/23/2014 10:38 AM, Grant Murphy wrote: > OpenStack Security Advisory: 2014-003 > CVE: CVE-2013-7130 > Date: January 23, 2014 > > Title: Live migration can leak root disk into ephemeral storage > Reporter: Loganathan Parthipan (HP) > Products: Nova > Affects: All supported versions > > Description: > Loganathan Parthipan from Hewlett Packard reported a vulnerability in > the Nova libvirt driver. By spawning a server with the same flavor as > another user's migrated virtual machine, an authenticated user can > potentially access that user's snapshot content resulting in information > leakage. Only setups using KVM live block migration are affected. > > > Icehouse (development branch) fix: > https://review.openstack.org/#/c/68658/ > > Havana (development branch) fix: > https://review.openstack.org/#/c/68659/ > > Grizzly fix: > https://review.openstack.org/#/c/68660/ > > > References: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7130 > https://bugs.launchpad.net/nova/+bug/1251590 > > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack at lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > already fixed in gentoo. =sys-cluster/nova-2013.1.4-r4 =sys-cluster/nova-nova-2013.2.1-r2 The versions from git will be fixed as soon as it's in git =sys-cluster/nova-2013.1.9999 =sys-cluster/nova-2013.2.9999 =sys-cluster/nova-9999 -- -- Matthew Thode (prometheanfire) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140123/41c0ca27/attachment.sig>