Bug#883621: marked as done (nova: CVE-2017-17051: Nova FilterScheduler doubles resource allocations during rebuild with new image)

[Debian Bug Tracking System]

Your message dated Wed, 06 Dec 2017 12:05:12 +0000
with message-id <e1emyrs-000cy7...@fasolo.debian.org>
and subject line Bug#883621: fixed in nova 2:16.0.3-5
has caused the Debian Bug report #883621,
regarding nova: CVE-2017-17051: Nova FilterScheduler doubles resource 
allocations during rebuild with new image
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883621: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883621
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: nova
Version: 2:16.0.3-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for nova.

CVE-2017-17051[0]:
| An issue was discovered in the default FilterScheduler in OpenStack
| Nova 16.0.3. By repeatedly rebuilding an instance with new images, an
| authenticated user may consume untracked resources on a hypervisor host
| leading to a denial of service, aka doubled resource allocations. This
| regression was introduced with the fix for OSSA-2017-005
| (CVE-2017-16239); however, only Nova stable/pike or later deployments
| with that fix applied and relying on the default FilterScheduler are
| affected.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17051
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17051
[1] http://www.openwall.com/lists/oss-security/2017/12/05/5

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: nova
Source-Version: 2:16.0.3-5

We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 883...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated nova package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 06 Dec 2017 12:24:45 +0100
Source: nova
Binary: nova-api nova-cells nova-common nova-compute nova-compute-ironic 
nova-compute-kvm nova-compute-lxc nova-compute-qemu nova-conductor nova-console 
nova-consoleauth nova-consoleproxy nova-doc nova-placement-api nova-scheduler 
nova-volume python-nova
Architecture: source all
Version: 2:16.0.3-5
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
 nova-api   - OpenStack Compute - compute API frontend
 nova-cells - Openstack Compute - cells
 nova-common - OpenStack Compute - common files
 nova-compute - OpenStack Compute - compute node
 nova-compute-ironic - OpenStack Compute - compute node (Ironic)
 nova-compute-kvm - OpenStack Compute - compute node (KVM)
 nova-compute-lxc - OpenStack Compute - compute node (LXC)
 nova-compute-qemu - OpenStack Compute - compute node (QEmu)
 nova-conductor - OpenStack Compute - conductor service
 nova-console - OpenStack Compute - console
 nova-consoleauth - OpenStack Compute - Console Authenticator
 nova-consoleproxy - OpenStack Compute - NoVNC proxy
 nova-doc   - OpenStack Compute - documentation
 nova-placement-api - OpenStack compute - placement API
 nova-scheduler - OpenStack Compute - virtual machine scheduler
 nova-volume - OpenStack Compute - storage metapackage
 python-nova - OpenStack Compute - libraries
Closes: 883621
Changes:
 nova (2:16.0.3-5) unstable; urgency=high
 .
   * CVE-2017-17051/OSSA-2017-005.1 (errata for CVE-2017-16239/OSSA-2017-005):
     Nova Filter Scheduler bypass through rebuild action. Apply upstream patch:
     Refined fix for validating image on rebuild (Closes: #883621).
Checksums-Sha1:
 a5dd24a9765e291a2fa2ad596a70a71c4b20a166 5406 nova_16.0.3-5.dsc
 8a7eaf2d49e62711517ae1993c5ef7c9341b0346 72796 nova_16.0.3-5.debian.tar.xz
 604634866c7a13de4fca7adfa1fe362038837f31 38476 nova-api_16.0.3-5_all.deb
 4fbf5de99583edd52da27f93e03c47a4f3ae54d8 21848 nova-cells_16.0.3-5_all.deb
 68f0e510df18313ca04ec357d851c4c8f86e87af 127012 nova-common_16.0.3-5_all.deb
 8f3cdd9d54391848ade9f365930c283fafaae580 19540 
nova-compute-ironic_16.0.3-5_all.deb
 279cd0aae7e596f439b8bd4d359d68852997a068 19628 
nova-compute-kvm_16.0.3-5_all.deb
 4ca2556ecb05861292704655733a4eed734fe943 19688 
nova-compute-lxc_16.0.3-5_all.deb
 de36cb70c7d376e3317f170fbd78112b6f7d1cc9 19508 
nova-compute-qemu_16.0.3-5_all.deb
 4536636ab65868bb7b414e703512ebdaf974d5a0 25568 nova-compute_16.0.3-5_all.deb
 73fb6edbecf60ce530fcd113d6611d819e3bf708 22756 nova-conductor_16.0.3-5_all.deb
 2d3805f273c4a548c80878eeddc911bfdeabc4d4 22848 nova-console_16.0.3-5_all.deb
 46f3d79b1be695c095f9caff27079c610f091f3c 22800 
nova-consoleauth_16.0.3-5_all.deb
 0d6b6506611a55f7fbbf95684bdc304d3071409d 27132 
nova-consoleproxy_16.0.3-5_all.deb
 c0cd7baf7fd87ff7157dcda710d6026ab7f543ff 3211836 nova-doc_16.0.3-5_all.deb
 e0104ccb87fa027f3f860e59cc5c800f0b44a989 35004 
nova-placement-api_16.0.3-5_all.deb
 059548775ea0bb4b4e93dc4d3edecec47bd072af 22752 nova-scheduler_16.0.3-5_all.deb
 f3503417eee476e1b10be978d2f73934b95d3f39 19176 nova-volume_16.0.3-5_all.deb
 5aabac0daf31430b3c0e19281f8eb0fc418bf9a7 23778 nova_16.0.3-5_amd64.buildinfo
 92e311b5c7c65d769bd9dde80a604cc83756a113 2647992 python-nova_16.0.3-5_all.deb
Checksums-Sha256:
 446001bd09c8041548c1785a1b03adfe88e9e61c32323318c68383cbbda5a68d 5406 
nova_16.0.3-5.dsc
 a50b3934a39f6ffa09bdea1ffdb16d0a04877d4bd2ede0eef28bdab23ad7f8a6 72796 
nova_16.0.3-5.debian.tar.xz
 c8d04b3194061ecd1df714f278837c11ea3529013da3b5a5c6adbf5a0d31489a 38476 
nova-api_16.0.3-5_all.deb
 1ef78b2782566686c91e7e8712589f36a767d5ce75c1e557a08b372eb7d839bf 21848 
nova-cells_16.0.3-5_all.deb
 7dc0cc68b05ada3042b2ae9dff4db4f7b098af605c15b69f49422e92c8ee3572 127012 
nova-common_16.0.3-5_all.deb
 c479c74ef09ea0cd52f769a5ac507a99d702fbd5644e0cb7221e2f00f5f5a9b2 19540 
nova-compute-ironic_16.0.3-5_all.deb
 c94b8b3c016233eebfe9406123ec837086eca119d55818e4b93ae2aac150b22a 19628 
nova-compute-kvm_16.0.3-5_all.deb
 93776e4c73adf703813758d1b41da07836e09dbd572f2ecf9ffbe6549fd4f92e 19688 
nova-compute-lxc_16.0.3-5_all.deb
 65404df4ff7467d9d58238908cc3abdca0bf55e535359a5a4074ffa018fe62b6 19508 
nova-compute-qemu_16.0.3-5_all.deb
 3ba2ed3b9fb7e809207d96b08d53b1024eed9d78c836176c1bdcc74503e0cfe3 25568 
nova-compute_16.0.3-5_all.deb
 92fb4a5e8834d0b133eb0b0d31bc168bf177665cd83143df37b5486d9d0fc3ea 22756 
nova-conductor_16.0.3-5_all.deb
 e228076a1bcc3587bd5b3f72bf55e4ed8b445e231bd8f8f7dbf2cd40a5134877 22848 
nova-console_16.0.3-5_all.deb
 f25c0d7b8196d350d7d24b67c0b90a7267e8c6bf1e376ee5eebb04cd38137803 22800 
nova-consoleauth_16.0.3-5_all.deb
 4b98a7f5d64582399204c59d9bead605ad7027139aeca5bc8ae9ad096d7d7d3b 27132 
nova-consoleproxy_16.0.3-5_all.deb
 99b1353a5e2bfe7281957b7fcfa4f1691058c6bd815c8ea3ebdc56d03bd3f86b 3211836 
nova-doc_16.0.3-5_all.deb
 753677fc48775791c0792e0679344c02510da74be4ba8db672935139efc1a787 35004 
nova-placement-api_16.0.3-5_all.deb
 9f8e637ee01b4942e423184ac6f54b130306b3ead16edb11bfddaed5fe8c0293 22752 
nova-scheduler_16.0.3-5_all.deb
 9019d56ccc4f2043e22b4300f41bf56ec89e08fbd9c14906c90013dd722db142 19176 
nova-volume_16.0.3-5_all.deb
 66ce297ff007c70394890e5ebc797eec8e0740619d612b57800ce5126fd4c416 23778 
nova_16.0.3-5_amd64.buildinfo
 8cadf8d6fefd2d5a361bd19eb27e8f0475b36584a10c92ada880d88865506a14 2647992 
python-nova_16.0.3-5_all.deb
Files:
 1ef89aa35a9e1d67dc65346a7b085e9e 5406 net optional nova_16.0.3-5.dsc
 7e5b63ee9389efe01f6da9ea3958ee22 72796 net optional nova_16.0.3-5.debian.tar.xz
 fdbd3d8f00bc52ddfd19c2d00be79079 38476 net optional nova-api_16.0.3-5_all.deb
 4d80bd4f429b6354da453351fe4aac8a 21848 net optional nova-cells_16.0.3-5_all.deb
 280e7a6cf0a121f9a78f97cd1ca7136e 127012 net optional 
nova-common_16.0.3-5_all.deb
 14a3a6944f0cc6f0fdda7ada686adbd7 19540 net optional 
nova-compute-ironic_16.0.3-5_all.deb
 b3bb37202a55645e1600e6d58d3781c6 19628 net optional 
nova-compute-kvm_16.0.3-5_all.deb
 6f67953191ede11db5020decea093960 19688 net optional 
nova-compute-lxc_16.0.3-5_all.deb
 f9dfa72666c77ad908df4f92a4a5ee9e 19508 net optional 
nova-compute-qemu_16.0.3-5_all.deb
 c041b04c758f5987ce7bd6a72ef437c0 25568 net optional 
nova-compute_16.0.3-5_all.deb
 4f3add45f5c5ded59f42ff34b0378490 22756 net optional 
nova-conductor_16.0.3-5_all.deb
 eba43b1782b407d390c73ce9ffda7d38 22848 net optional 
nova-console_16.0.3-5_all.deb
 a5c7520adb7d2b8f6544381cffbb7aaa 22800 net optional 
nova-consoleauth_16.0.3-5_all.deb
 aad6931547efa920b201b3d8c35475b9 27132 net optional 
nova-consoleproxy_16.0.3-5_all.deb
 51a1f72bc20d6ee78b59fcd8b8fc3808 3211836 doc optional nova-doc_16.0.3-5_all.deb
 c46742c1a985923138adc3fb4dc0a28f 35004 net optional 
nova-placement-api_16.0.3-5_all.deb
 4b980ea4b647eba303b5e00d4d8bf80d 22752 net optional 
nova-scheduler_16.0.3-5_all.deb
 cb7addbebf043350097523f285d6f802 19176 oldlibs optional 
nova-volume_16.0.3-5_all.deb
 fb6191a14229822dbe4c42cd572d7745 23778 net optional 
nova_16.0.3-5_amd64.buildinfo
 eb08193fdb0ded97653dafc4025a56ce 2647992 python optional 
python-nova_16.0.3-5_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlon2EQACgkQ1BatFaxr
Q/5ZrhAAhSHKFh98LuOhIOTA3vh3tXTtozi8XgY/onJqF3u/9eVcsTOVrEqdjhb9
q0tkA1QAJ3xzId88vYPOdgOwcMGGC8N3cPoIsGLifjumQ62bt2q36yGu2OpTalLa
ZOOGyjHzQ/NGPgLrU+vHPGOA8sOa9YNZ90dkzarPXdcKGYyUfZblHUWa41IiYER1
c0RyHZrRe2m70iI/LBndylMU2Ge4OZU8RvufdAk2P1mhZlRxSlfzUuw7lxdgS1cu
n8XjrUYyAEeJ45kRCnZOW621dFnUwwXeA+gRdIRSNbCRU+mZBKQKNvAD5gaW9oWK
umfWoIclkIvV/anVd+SvvEyS0YtQ5tJ0f4OHqzloFTQ1OsluJMURzshoW/IUBkIP
h57bOPMk3ItxKvTB0bHWak/nFov1eEGa3BMRptlLfzuMeEM0vyiadPZk3apJ6b0k
JTnkYwL0qYm0BoJ1b4lMkQJD5/uI5M7BobTiIkeTZJDLRVqSD0vOzajJTqQFERJ9
tNDKOylWiz39fBWa9FVFy3J1wp3X63HSyvGcfRm7wS71LvpHKAGmbojyEn4lGxnX
iruD819huvR4T2QDs03ifAkMT8/CJJRYckZ2TDyepPOj5f1IpHGtiZNPWJL+Iud6
6pIHkA8cgYHrvru431/9kU07vRYhbdi6ssjsN8TqTXht3QsxoHM=
=qTii
-----END PGP SIGNATURE-----

--- End Message ---