[release-announce] octavia 2.1.2 (queens)

no-reply at openstack.org no-reply at openstack.org
Mon Oct 7 12:05:06 UTC 2019 

We are thrilled to announce the release of:

octavia 2.1.2: OpenStack Octavia Scalable Load Balancer as a Service

This release is part of the queens stable release series.

The source is available from:

    https://opendev.org/openstack/octavia

Download the package from:

    https://pypi.org/project/octavia

Please report issues through:

    https://storyboard.openstack.org/#!/project/908

For more details, please see below.

2.1.2
^^^^^


Security Issues
***************

* Correctly require two-way certificate authentication to connect to
  the amphora agent API (CVE-2019-17134).


Bug Fixes
*********

* Fixed an issue with the health manager reporting an
  UnboundLocalError if it gets an exception attempting to get a
  database connection.

* Fixes a potential DB deadlock in allocate_and_associate found in
  testing.

* Fixed an issue where invalid certificates would trigger an amphora
  failover loop. Certificates are now validated at API level.

* The passphrase for config option 'server_certs_key_passphrase' is
  used as a Fernet key in Octavia and thus must be 32, base64(url)
  compatible, characters long. Octavia will now validate the
  passphrase length and format.

Changes in octavia 2.1.1..2.1.2
-------------------------------

89a2f6e0 Fix urgent amphora two-way auth security bug
431d9c9b Fix l7rule API handling of None updates
1769de35 Validate server_certs_key_passphrase is 32 chars
d6c1f8ec Work around strptime threading issue
70d97efb Fix template that generates vrrp check script
3df43dc0 Revert "Use the infra pypi mirror for DIB"
2959d88b Add failover logging to show the amphora details.
d43c4f42 only rollback DB when we have a connection to the DB
66d71b01 Fix L7 repository create methods
9ae2f61b Use the infra pypi mirror for DIB
e7686135 Add warning log if auth_strategy is not keystone
37aad5db worker: Re-add FailoverPreparationForAmphora
7eb83acc Update tox.ini for new upper constraints strategy
26d8fde6 Validate certificate content at API level
d9c459a8 Add bindep.txt for Octavia
a96b00b4 Fix allocate_and_associate DB deadlock


Diffstat (except docs and test files)
-------------------------------------

bindep.txt                                         |  2 ++
.../templates/keepalived_check_script.conf.j2      |  2 +-
octavia/api/v2/controllers/l7rule.py               |  5 +++
octavia/api/v2/controllers/listener.py             |  4 ++-
octavia/api/v2/controllers/load_balancer.py        |  4 ++-
octavia/certificates/common/local.py               |  6 ++--
octavia/cmd/agent.py                               |  3 +-
octavia/cmd/api.py                                 |  6 ++++
octavia/common/base_taskflow.py                    |  3 ++
octavia/common/tls_utils/cert_parser.py            | 19 +++++-----
octavia/common/validate.py                         |  2 ++
octavia/controller/healthmanager/health_manager.py |  4 ++-
octavia/controller/worker/controller_worker.py     | 26 +++++++++++++-
octavia/controller/worker/flows/amphora_flows.py   |  4 +++
octavia/db/repositories.py                         |  9 +++++
.../healthmanager/test_health_manager.py           | 18 ++++++++++
...DB-Rollback-no-connection-2664c4f7823ecaec.yaml |  5 +++
...te_and_associate-deadlock-3ff1464421c1d464.yaml |  4 +++
...client-auth-vulnerability-6803f4bac2508e4c.yaml |  5 +++
...ix-certificate-validation-d65df8ff16e7f985.yaml |  5 +++
...rver_certs_key_passphrase-6a9dfc190c9deba8.yaml |  6 ++++
tox.ini                                            | 11 +++---
27 files changed, 212 insertions(+), 38 deletions(-)

More information about the Release-announce mailing list