Hi folks, I initially sent this mail privately, resending it to the list on request :
Kolla-Ansible https://docs.openstack.org/kolla-ansible/ pip packages (recommended in the doc) are vulnerable to CVE-2018-1000115. The patch have been commit, merged in stable/queens, stable/pike, stable/ocata https://review.openstack.org/#/c/550686/. However, the pip stable packages are still based on 5.0.1 which do not contain the fix (6.0.0.0rc2 which contains the fix is available in pip, but won't be installed by default because its a prerelease). While I understand that good security practices would recommend to firewall etc, and that the fixes are available, I believe having vulnerable packages in the default, recommend install, is an important issue. Moreover, I would like to suggest issuing a Security Advisory when updated packages would be available, because : - pip/system won't propose upgrades by default, users may not be aware they are vulnerable. - users can actually being hit by CVE-2018-1000115 and participate to DDOS. - DDOS traffic pattern observed in my cloud are not big burst ones, but follow some classic daily pattern that could looks legitimate and so could stay unnoticeable for a long time (see graph, http://pix.toile-libre.org/?img=1522070903.png, mostly if not only DDOS traffic in) ------------------------------------- How to verify : git clone https://github.com/openstack/kolla-ansible ; cd kolla-ansible git checkout tags/6.0.0.0rc2 ; git log | grep "Security memcached" git checkout tags/5.0.1 ; git log | grep "Security memcached" wget https://pypi.python.org/packages/cc/f2/27d9e75f2fe142b2a73c57023b055aa9a50e49ba69d7da9c7808c4f25ac1/kolla-ansible-5.0.1.tar.gz#md5=6456618318b58d844ae57b47e34ee569 tar xvzf kolla-ansible-5.0.1.tar.gz cat kolla-ansible-5.0.1/ansible/roles/memcached/templates/memcached.json.j2 (compare with https://review.openstack.org/#/c/550686/ if needed) Cheers, -- Mathieu Goessens Research Engineer IMT Atlantique
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev