Bug#883621: marked as done (nova: CVE-2017-17051: Nova FilterScheduler doubles resource allocations during rebuild with new image)

2017-12-07 Thread Debian Bug Tracking System 
Your message dated Thu, 07 Dec 2017 09:19:22 +
with message-id 
and subject line Bug#883621: fixed in nova 2:16.0.3-6
has caused the Debian Bug report #883621,
regarding nova: CVE-2017-17051: Nova FilterScheduler doubles resource 
allocations during rebuild with new image
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883621: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883621
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nova
Version: 2:16.0.3-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for nova.

CVE-2017-17051[0]:
| An issue was discovered in the default FilterScheduler in OpenStack
| Nova 16.0.3. By repeatedly rebuilding an instance with new images, an
| authenticated user may consume untracked resources on a hypervisor host
| leading to a denial of service, aka doubled resource allocations. This
| regression was introduced with the fix for OSSA-2017-005
| (CVE-2017-16239); however, only Nova stable/pike or later deployments
| with that fix applied and relying on the default FilterScheduler are
| affected.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17051
[1] http://www.openwall.com/lists/oss-security/2017/12/05/5

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nova
Source-Version: 2:16.0.3-6

We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 883...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand  (supplier of updated nova package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Dec 2017 09:29:15 +0100
Source: nova
Binary: nova-api nova-cells nova-common nova-compute nova-compute-ironic 
nova-compute-kvm nova-compute-lxc nova-compute-qemu nova-conductor nova-console 
nova-consoleauth nova-consoleproxy nova-doc nova-placement-api nova-scheduler 
nova-volume python-nova
Architecture: source all
Version: 2:16.0.3-6
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack 
Changed-By: Thomas Goirand 
Description:
 nova-api   - OpenStack Compute - compute API frontend
 nova-cells - Openstack Compute - cells
 nova-common - OpenStack Compute - common files
 nova-compute - OpenStack Compute - compute node
 nova-compute-ironic - OpenStack Compute - compute node (Ironic)
 nova-compute-kvm - OpenStack Compute - compute node (KVM)
 nova-compute-lxc - OpenStack Compute - compute node (LXC)
 nova-compute-qemu - OpenStack Compute - compute node (QEmu)
 nova-conductor - OpenStack Compute - conductor service
 nova-console - OpenStack Compute - console
 nova-consoleauth - OpenStack Compute - Console Authenticator
 nova-consoleproxy - OpenStack Compute - NoVNC proxy
 nova-doc   - OpenStack Compute - documentation
 nova-placement-api - OpenStack compute - placement API
 nova-scheduler - OpenStack Compute - virtual machine scheduler
 nova-volume - OpenStack Compute - storage metapackage
 python-nova - OpenStack Compute - libraries
Closes: 883621
Changes:
 nova (2:16.0.3-6) unstable; urgency=high
 .
   * CVE-2017-17051 / OSSA-2017-006: Nova FilterScheduler doubles resource
 allocations during rebuild with new image. Applied upstream patch: Fix
 doubling allocations on rebuild (Closes: 883621).
 Note: previous upload was in fact only refining the patch for addressing
 CVE-2017-16239, not CVE-2017-17051. This upload really fixes the bug for
 CVE-2017-17051.
Checksums-Sha1:
 948543088b83d44870a7cbe884a8c94e3c187023 5406 nova_16.0.3-6.dsc
 6d8b2dbe01cbc83c57cf7631b1c298d8eac5d267 74168 nova_16.0.3-6.debian.tar.xz
 85b319333ee5082cfa366bed395856a0a99dabb2 38612 nova-api_16.0.3-6_all.deb
 d916034cb3b638eba44a774a27bd9b24b799ab65 21992 nova-cells_16.0.3-6_all.deb

Bug#883621: marked as done (nova: CVE-2017-17051: Nova FilterScheduler doubles resource allocations during rebuild with new image)

2017-12-06 Thread Debian Bug Tracking System 
Your message dated Wed, 06 Dec 2017 12:05:12 +
with message-id 
and subject line Bug#883621: fixed in nova 2:16.0.3-5
has caused the Debian Bug report #883621,
regarding nova: CVE-2017-17051: Nova FilterScheduler doubles resource 
allocations during rebuild with new image
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883621: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883621
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nova
Version: 2:16.0.3-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for nova.

CVE-2017-17051[0]:
| An issue was discovered in the default FilterScheduler in OpenStack
| Nova 16.0.3. By repeatedly rebuilding an instance with new images, an
| authenticated user may consume untracked resources on a hypervisor host
| leading to a denial of service, aka doubled resource allocations. This
| regression was introduced with the fix for OSSA-2017-005
| (CVE-2017-16239); however, only Nova stable/pike or later deployments
| with that fix applied and relying on the default FilterScheduler are
| affected.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17051
[1] http://www.openwall.com/lists/oss-security/2017/12/05/5

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nova
Source-Version: 2:16.0.3-5

We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 883...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand  (supplier of updated nova package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 06 Dec 2017 12:24:45 +0100
Source: nova
Binary: nova-api nova-cells nova-common nova-compute nova-compute-ironic 
nova-compute-kvm nova-compute-lxc nova-compute-qemu nova-conductor nova-console 
nova-consoleauth nova-consoleproxy nova-doc nova-placement-api nova-scheduler 
nova-volume python-nova
Architecture: source all
Version: 2:16.0.3-5
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack 
Changed-By: Thomas Goirand 
Description:
 nova-api   - OpenStack Compute - compute API frontend
 nova-cells - Openstack Compute - cells
 nova-common - OpenStack Compute - common files
 nova-compute - OpenStack Compute - compute node
 nova-compute-ironic - OpenStack Compute - compute node (Ironic)
 nova-compute-kvm - OpenStack Compute - compute node (KVM)
 nova-compute-lxc - OpenStack Compute - compute node (LXC)
 nova-compute-qemu - OpenStack Compute - compute node (QEmu)
 nova-conductor - OpenStack Compute - conductor service
 nova-console - OpenStack Compute - console
 nova-consoleauth - OpenStack Compute - Console Authenticator
 nova-consoleproxy - OpenStack Compute - NoVNC proxy
 nova-doc   - OpenStack Compute - documentation
 nova-placement-api - OpenStack compute - placement API
 nova-scheduler - OpenStack Compute - virtual machine scheduler
 nova-volume - OpenStack Compute - storage metapackage
 python-nova - OpenStack Compute - libraries
Closes: 883621
Changes:
 nova (2:16.0.3-5) unstable; urgency=high
 .
   * CVE-2017-17051/OSSA-2017-005.1 (errata for CVE-2017-16239/OSSA-2017-005):
 Nova Filter Scheduler bypass through rebuild action. Apply upstream patch:
 Refined fix for validating image on rebuild (Closes: #883621).
Checksums-Sha1:
 a5dd24a9765e291a2fa2ad596a70a71c4b20a166 5406 nova_16.0.3-5.dsc
 8a7eaf2d49e62711517ae1993c5ef7c9341b0346 72796 nova_16.0.3-5.debian.tar.xz
 604634866c7a13de4fca7adfa1fe362038837f31 38476 nova-api_16.0.3-5_all.deb
 4fbf5de99583edd52da27f93e03c47a4f3ae54d8 21848 nova-cells_16.0.3-5_all.deb
 68f0e510df18313ca04ec357d851c4c8f86e87af 127012 nova-common_16.0.3-5_all.deb
 8f3cdd9d54391848ade9f365930c283fafaae580 19540