On 9/13/21 7:31 PM, Salvatore Bonaccorso wrote: > Source: neutron > Version: 2:18.1.0-3 > Severity: important > Tags: security upstream > Forwarded: https://bugs.launchpad.net/neutron/+bug/1942179 > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for neutron. > > CVE-2021-40797[0]: > | An issue was discovered in the routes middleware in OpenStack Neutron > | before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making > | API requests involving nonexistent controllers, an authenticated user > | may cause the API worker to consume increasing amounts of memory, > | resulting in API performance degradation or denial of service. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-40797 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40797 > [1] https://bugs.launchpad.net/neutron/+bug/1942179 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore >
Hi Salvatore, According to the launchpad bug, it feels like the issue is when using Eventlet as web server (ie: the integrated Python web server), but in Debian, the Neutron API is served over uwsgi. In such case, the API process just dies after it serves a query, if I'm not mistaking. Therefore, I don't think Debian would be affected. This is to be confirmed, as I asked in the #openstack-neutron IRC channel (also on OFTC), and I'm still waiting for a reply. Cheers, Thomas Goirand (zigo)

