Package: python-neutron Version: 2013.2.2-3 Severity: important Title: Routers can be cross plugged by other tenants Reporter: Aaron Rosen (VMWare) Products: Neutron Affects: 2012.2 versions up to 2013.2.2
Description: Aaron Rosen from VMWare reported a vulnerability where Neutron fails to perform proper authorization checks when creating ports. By choosing a device id of a router from a different tenant when creating a port, an authenticated user can access the network of other tenants. This affects deployments of Neutron using plugins relying on the l3-agent. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to stable/grizzly, stable/havana and master (Icehouse development branch) on the public disclosure date. Note from Debian package maintainer: I have the patch and am I'm uploading a fixed version right away to Sid. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org