[Openstack] [OSSA 2014-040] Horizon denial of service attack through login page (CVE-2014-8124)

django_openstack_auth Horizon dependency requires the additional patch above. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124 https://launchpad.net/bugs/1394370 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature

[Openstack] [OSSA 2014-039.1] Neutron DoS through invalid DNS configuration (CVE-2014-7821) ERRATA 1

: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7821 https://launchpad.net/bugs/1378450 OSSA History: 2014-12-10 - Errata 1 2014-11-19 - Original Version -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature

[Openstack] [OSSA 2015-001] L3 agent denial of service with radvd 2.0+ (CVE-2014-8153)

?name=CVE-2014-8153 Notes ~ - This fix will be included in a future 2014.2.2 release. - The OSSA announce format for the 2015 advisories has been changed to RST. -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature

[Openstack] [OSSA 2015-002] Glance v2 API unrestricted path traversal through filesystem:// scheme

OpenStack VMT recommends revoking all credentials stored in files accessible by Glance as a precautionary measure. - A CVE has been requested for this issue, the OpenStack VMT will issue an errata with the correct CVE number assigned once this information is available. -- Tristan Cacqueray

[Openstack] [OSSA 2015-002.1] Glance v2 API unrestricted path traversal through filesystem:// scheme (CVE-2015-1195) ERRATA 1

accessible by Glance as a precautionary measure. OSSA History - 2015-01-20 - Errata 1 - 2015-01-15 - Original Version -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature

[Openstack] [OSSA 2015-003] Glance user storage quota bypass (CVE-2014-9623)

ences ~~ - https://launchpad.net/bugs/1398830 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9623 Notes ~ - This fix will be included in the kilo-2 development milestone and in future 2014.2.2 (juno) and 2014.1.4 (icehouse) releases. -- Tristan Cacqueray OpenStack Vulnerab

[Openstack] [OSSA 2015-005] Nova console Cross-Site WebSocket hijacking (CVE-2015-0259)

included in the kilo-3 development milestone and in the future 2014.2.3 (juno) release. -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org

[Openstack] [OSSA 2015-006] Unauthorized delete of versioned Swift object (CVE-2015-1856)

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1856 Notes ~ - This fix will be included in the upcoming 2.3.0 release. -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature

[Openstack] [OSSA 2015-007] S3Token TLS cert verification option not honored (CVE-2015-1852)

e=CVE-2015-1852 Notes ~ - This fix will be included in keystonemiddleware 1.6.0 release and python-keystoneclient 1.4.0 release. -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature _

[Openstack] [OSSA 2015-008] Potential Keystone cache backend password leak in log (CVE-2015-3646)

OSSA-2015-008: Potential Keystone cache backend password leak in log :Date: May 04, 2015 :CVE: CVE-2015-3646 Affects ~~~ - Keystone: versions through 2014

[Openstack] [OSSA 2015-009] Persistent XSS in Horizon metadata dashboard (CVE-2015-3988)

) Credits ~~~ - Sunil Yadav from IBM (CVE-2015-3988) References ~~ - https://launchpad.net/bugs/1449260 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3988 Notes ~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo) releases. -- Tristan Cacqueray

[Openstack] [OSSA 2015-010] XSS in Horizon Heat stack creation (CVE-2015-3219)

Konovalov from Mirantis (CVE-2015-3219) References ~~ - https://launchpad.net/bugs/1453074 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3219 Notes ~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.1 (kilo) releases. -- Tristan Cacqueray OpenStack

[Openstack] [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1850)

) releases. -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe

Re: [Openstack] [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1850)

[dropped openstack-announces] On 06/16/2015 12:14 PM, Haïkel wrote: >> Notes >> > ~ >> > - This fix will be included in future 2014.1.5 (icehouse), 2014.2.4 >> > (juno) and 2015.1.1 (kilo) releases. >> > > There were discussions about not issueing stable point releases anymore. > Will there

[Openstack] [OSSA 2015-011.1] Cinder host file disclosure through qcow2 backing file (CVE-2015-1851) ERRATA 1

?name=CVE-2015-1851 Notes ~ - This fix will be included in future 2014.1.5 (icehouse), 2014.2.4 (juno) and 2015.1.1 (kilo) releases. OSSA History - 2015-06-17 - Errata 1 - 2015-06-16 - Original Version -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc

[Openstack] [OSSA 2015-012] Neutron L2 agent DoS through incorrect allowed address pairs (CVE-2015-3221)

need to use 0.0.0.0/1 and 128.0.0.1/1 or ::/1 and 8000::/1 instead. The fix_zero_length_ip_prefix.py tool is provided to clean ports previously configured with a zero prefixed address pair -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenP

[Openstack] [OSSA 2015-014] Glance v2 API host file disclosure through qcow2 backing file (CVE-2015-5163)

) References ~~ - https://launchpad.net/bugs/1471912 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5163 Notes ~ - This fix will be included in the future 2015.1.2 (kilo) release. -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP

[Openstack] [OSSA 2015-015] Nova instance migration process does not stop when instance is deleted (CVE-2015-3241)

~ - This fix requires oslo.concurrency >= 1.8.2 for Kilo and >= 2.3.0 for Liberty. Juno fix embeds a patched version of oslo.concurrency. - This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases. -- Tristan Cacqueray OpenStack Vulnerability Managemen

[Openstack] [OSSA 2015-016] Information leak via Swift tempurls (CVE-2015-5223)

(CVE-2015-5223) References ~~ - https://launchpad.net/bugs/1453948 - https://launchpad.net/bugs/1449212 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5223 Notes ~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases. -- Tristan Cacqueray

[Openstack] [OSSA 2015-017] Nova may fail to delete images in resize state (CVE-2015-3280)

future 2014.2.4 (juno) and 2015.1.2 (kilo) releases. -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to

[Openstack] [OSSA 2015-018] Neutron firewall rules bypass through port update (CVE-2015-5240)

edits ~~~ - Kevin Benton from Mirantis (CVE-2015-5240) References ~~ - https://launchpad.net/bugs/1489111 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5240 Notes ~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases. -- Tristan Cacq

[Openstack] [OSSA 2015-020] Glance storage overrun (CVE-2015-5286)

2015-5286) References ~~ - https://bugs.launchpad.net/bugs/1498163 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5286 Notes ~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases. -- Tristan Cacqueray OpenStack Vulnerability Manage

[Openstack] [OSSA 2015-021] Nova network security group changes are not applied to running instances (CVE-2015-7713)

(CVE-2015-7713) References ~~ - https://bugs.launchpad.net/bugs/1491307 - https://bugs.launchpad.net/bugs/1484738 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7713 Notes ~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases. -- Tristan

Re: [Openstack] Keystone connection to Android project

On 01/08/2014 12:05 PM, Sayali Lunkad wrote: > Hey, > > I am trying to authenticate on Keystone using a Java application. > Are there any libraries that can be imported in Java for OpenStack clients > using which I can get easy access to OpenStack. > Any help would be highly appreciated. > > Than

[Openstack] [OSSA 2014-005] Missing SSL certificate check in Python Swift client (CVE-2013-6396)

with the server, including any used credentials. python-swiftclient fix (included in 2.0 release): https://review.openstack.org/#/c/69187 References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396 https://bugs.launchpad.net/bugs/1199783 -- Tristan Cacqueray OpenStack Vulnerab

Re: [Openstack] [OSSA 2014-005] Missing SSL certificate check in Python Swift client (CVE-2013-6396)

On 02/28/2014 07:52 PM, david.co...@oracle.com wrote: >> OpenStack Security Advisory: 2014-005 >> CVE: CVE-2013-6396 >> Date: February 17, 2014 >> Title: Missing SSL certificate check in Python Swift client >> Reporter: Thomas Leaman (HP) >> Products: python-swiftclient >> Versions: 1.0 version up

[Openstack] [OSSA 2014-006] Trustee token revocation does not work with memcache backend (CVE-2014-2237)

nchpad.net/bugs/1260080 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@list

[Openstack] [OSSA 2014-007] Potential context confusion in Keystone middleware (CVE-2014-0105)

auth_token with memcache are vulnerable. python-keystoneclient fix (included in 0.7.0 release): https://review.openstack.org/81078 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0105 https://bugs.launchpad.net/bugs/1282865 -- Tristan Cacqueray OpenStack Vulnerability

[Openstack] [OSSA 2014-009] Nova host data leak to vm instance in rescue mode (CVE-2014-0134)

ix will be included in the icehouse-rc1 development milestone and in a future 2013.2.3 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0134 https://launchpad.net/bugs/1221190 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Descriptio

[Openstack] [OSSA 2014-010] XSS in Horizon orchestration dashboard (CVE-2014-0157)

: This fix will be included in the icehouse-rc2 development milestone and in a future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0157 https://launchpad.net/bugs/1289033 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc

[Openstack] [OSSA 2014-011] RBAC policy not properly enforced in Nova EC2 API (CVE-2014-0167)

milestone and in a future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0167 https://launchpad.net/bugs/1290537 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature

[Openstack] [OSSA 2014-012] Remote code execution in Glance Sheepdog backend (CVE-2014-0162)

will be included in the icehouse-rc2 development milestone and in a future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0162 https://launchpad.net/bugs/1298698 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP

[Openstack] [OSSA 2014-013] Keystone DoS through V3 API authentication chaining (CVE-2014-2828)

future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2828 https://launchpad.net/bugs/1300274 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature

[Openstack] [OSSA 2014-014] Neutron security groups bypass through invalid CIDR (CVE-2014-0187)

will be included in the juno-1 development milestone and in future 2013.2.4 and 2014.1.1 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0187 https://launchpad.net/bugs/1300785 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description

[Openstack] [OSSA 2014-015] Keystone user and group id mismatch (CVE-2014-0204)

2014.1.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204 https://launchpad.net/bugs/1309228 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing

[Openstack] [OSSA 2014-016] Heat template URL information leakage (CVE-2014-3801)

releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3801 https://launchpad.net/bugs/1311223 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list

[Openstack] [OSSA 2014-018] Keystone privilege escalation through trust chained delegation (CVE-2014-3476)

ed in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3476 https://launchpad.net/bugs/1324592 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP di

[Openstack] [OSSA 2014-019] Neutron L3-agent DoS through IPv6 subnet (CVE-2014-4167)

and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4167 https://launchpad.net/bugs/1309195 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature

[Openstack] [OSSA 2014-020] XSS in Swift requests through WWW-Authenticate header (CVE-2014-3497)

) fix: https://review.openstack.org/101031 Icehouse (1.13.*) fix: https://review.openstack.org/101032 Notes: This fix will be included in the upcoming 2.0.0 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3497 https://launchpad.net/bugs/1327414 --· Tristan Cacqueray Open

[Openstack] [OSSA 2014-021] User token leak to message queue in pyCADF notifier middleware (CVE-2014-4615)

: Ceilometer Juno (master) branch is not affected. Those fixes will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4615 https://launchpad.net/bugs/1321080 -- Tristan Cacqueray OpenStack

[Openstack] [OSSA 2014-022] Keystone V2 trusts privilege escalation through user supplied project id (CVE-2014-3520)

/cvename.cgi?name=CVE-2014-3520 https://launchpad.net/bugs/1331912 --· Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo

[Openstack] [OSSA 2014-023] Multiple XSS vulnerabilities in Horizon (CVE-2014-3473, CVE-2014-3474, and CVE-2014-3475)

i-bin/cvename.cgi?name=CVE-2014-3473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3474 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3475 https://launchpad.net/bugs/1308727 https://launchpad.net/bugs/1320235 https://launchpad.net/bugs/1322197 -- Tristan Cacqueray OpenStack Vulnerab

[Openstack] [OSSA 2014-025] Denial of Service in Neutron allowed address pair (CVE-2014-3555)

e=CVE-2014-3555 https://launchpad.net/bugs/1336207 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Po

[Openstack] [OSSA 2014-026] Multiple vulnerabilities in Keystone revocation events (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253)

eferences: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5252 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5253 https://launchpad.net/bugs/1347961 https://launchpad.net/bugs/1348820 https://launchpad.net/bugs/1349597 -- Tr

[Openstack] [OSSA 2014-027] Persistent XSS in Horizon Host Aggregates interface (CVE-2014-3594)

://review.openstack.org/115313 Notes: This fix will be included in the Juno-3 development milestone and in future 2013.2.4 and 2014.1.3 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3594 https://launchpad.net/bugs/1349491 -- Tristan Cacqueray OpenStack Vulnerability

[Openstack] [OSSA 2014-028] Glance store DoS through disk space exhaustion (CVE-2014-5356)

://review.openstack.org/115289 Notes: This fix will be included in the Juno-3 development milestone and in future 2013.2.4 and 2014.1.3 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5356 https://launchpad.net/bugs/1315321 -- Tristan Cacqueray OpenStack Vulnerability Management

[Openstack] [OSSA 2014-029] Configuration option leak through Keystone catalog (CVE-2014-3621)

. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3621 https://launchpad.net/bugs/1354208 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http

[Openstack] [OSSA 2014-032] Nova VMware driver still leaks rescued images (CVE-2014-3608)

2014.1.3 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3608 https://launchpad.net/bugs/1338830 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list

[Openstack] [OSSA 2014-033] Cinder-volume host data leak to vm instance (CVE-2014-3641)

-3641 https://launchpad.net/bugs/1350504 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to

[Openstack] [OSSA 2014-036] Potential leak of passwords into log files (CVE-2014-7230, CVE-2014-7231)

nces: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7230 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7231 https://launchpad.net/bugs/1377981 https://launchpad.net/bugs/1343604 https://launchpad.net/bugs/1345233 -- Tristan Cacqueray OpenStack Vulnerability Management Team sig

[Openstack] [OSSA 2014-037] Nova VMware instance in resize state may leak (CVE-2014-8333)

/125492 Notes: This fix was included in the 2014.2 release and will appear in a future 2014.1.4 stable point release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8333 https://launchpad.net/bugs/1359138 -- Tristan Cacqueray OpenStack Vulnerability Management Team

[Openstack] [OSSA 2014-038] Nova network DoS through API filtering (CVE-2014-3708)

/131462 Icehouse fix: https://review.openstack.org/131461 Notes: This fix will be included in future 2014.1.4 and 2014.2.1 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3708 https://launchpad.net/bugs/1358583 --· Tristan Cacqueray OpenStack Vulnerability Management

[Openstack] [OSSA 2014-039] Neutron DoS through invalid DNS configuration (CVE-2014-7821)

-- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http

[Openstack] [OSSA 2016-001] Nova host data leak through snapshot (CVE-2015-7548)

~~~ - Matthew Booth from Red Hat (CVE-2015-7548) References ~~ - https://bugs.launchpad.net/bugs/1524274 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7548 Notes ~ - This fix will be included in future 2015.1.3 (kilo) and 12.0.1 (liberty) releases. -- Tristan Cacqueray

[Openstack] [OSSA 2016-003] Heat denial of service through template-validate (CVE-2015-5295)

0.1 (liberty) releases. -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openst

[Openstack] [OSSA 2016-004] Swift proxy-server DoS through Large Object (CVE-2016-0737, CVE-2016-0738)

roxy) - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0738 (proxy to server) Notes ~ - The client to proxy issue (CVE-2016-0737) is already fixed in Liberty - The remaining fix will be included in future 2.3.1 (Kilo) and 2.5.1 (Liberty) releases. -- Tristan Cacqueray OpenStack V

[Openstack] [OSSA 2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)

.4 (Kilo) and 2.3.3 (Liberty) releases. - Both keystone and keystonemiddleware needs to be updated -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstac

[Openstack] [OSSA 2016-006] Glance image status manipulation through locations removal (CVE-2016-0757)

are relying on the false assumption that it would be ok to replace the data of existing image in the special case that the multiple locations has been configured. -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP dig

[Openstack] [OSSA 2016-007] Nova host data leak through resize/migration (CVE-2016-2140)

m Red Hat (CVE-2016-2140) References ~~ - https://bugs.launchpad.net/bugs/1548450 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2140 Notes ~ - This fix will be included in future 2015.1.3 (kilo) and 12.0.3 (liberty) releases. -- Tristan Cacqueray OpenStack Vulnerabil

Re: [Openstack] [openstack-announce] [OSSA 2016-007] Nova host data leak through resize/migration (CVE-2016-2140)

On 03/08/2016 08:16 PM, Tristan Cacqueray wrote: > === > OSSA-2016-007: Nova host data leak through resize/migration > === > > :Date: March 08, 2016 > :

[Openstack] [OSSA 2016-007.1] Nova host data leak through resize/migration (CVE-2016-2140) ERRATA

2140 OSSA History - 2016-03-09 - Errata 1 - 2016-03-08 - Original Version -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org/cgi-b

[Openstack] [OSSA 2016-007.2] Nova host data leak through resize/migration (CVE-2016-2140) ERRATA #2

in future 2015.1.4 (kilo) and 12.0.3 (liberty) releases. OSSA History - 2016-03-30 - Errata 2 - 2016-03-09 - Errata 1 - 2016-03-08 - Original Version -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPG

[Openstack] [OSSA-2016-009] Neutron IPTables firewall anti-spoof protection bypass (CVE-2016-5362, CVE-2016-5363, CVE-2015-8914)

CMPv6) - https://bugs.launchpad.net/bugs/1558658 (MAC, DHCP) - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5362 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5363 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8914 -- Tristan Cacqueray OpenStack Vulnerability Management Team

[Openstack] [OSSA-2016-010] XSS in Horizon client side template (CVE-2016-4428)

(CVE-2016-4428) - Brandon Sawyers from Virginia Tech (CVE-2016-4428) References ~~ - https://bugs.launchpad.net/bugs/1567673 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4428 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP dig

[Openstack] [OSSA 2016-011] Nova may fail to delete images in resize state regression (CVE-2016-7498)

://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7498 Notes ~ - This bug is similar to OSSA-2015-017 (CVE-2015-3280) and was re-introduced in the first release of Mitaka version of Nova and it was re-fixed in nova-13.1.0. -- Tristan Cacqueray OpenStack Vulnerability Management Team

[Openstack] [OSSA 2016-013] Network information disclosure through Heat template source URL (CVE-2016-9185)

~ - https://launchpad.net/bugs/1606500 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9185 -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.or

[Openstack] [OSSA-2017-003] XSS in Horizon federation mappings UI (CVE-2017-7400)

k.org/442454 (Newton) - https://review.openstack.org/442453 (Ocata) - https://review.openstack.org/442277 (Pike) Credits ~~~ - Eric Brown from VMware (CVE-2017-7400) References ~~ - https://launchpad.net/bugs/1667086 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7400

[Openstack] [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

on) - https://review.openstack.org/459732 (Ocata) - https://review.openstack.org/459705 (Pike) Credits ~~~ - Boris Bobrov from Mail.Ru (CVE-2017-2673) References ~~ - https://launchpad.net/bugs/1677723 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2673 -- Tristan Cacquera

[Openstack] [OSSA-2017-005] Nova Filter Scheduler bypass through rebuild action (CVE-2017-16239)

George Shuklin from Servers.com (CVE-2017-16239) References ~~ - https://launchpad.net/bugs/1664931 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16239 -- Tristan Cacqueray OpenStack Vulnerability Management Team pgpvM2xkw3ZcM.pgp Description

[Openstack] [OSSA 2017-005.1] Nova Filter Scheduler bypass through rebuild action (CVE-2017-16239) ERRATA

9) References ~~ - https://launchpad.net/bugs/1664931 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16239 OSSA History - 2017-12-05 - Errata 1 - 2017-11-14 - Original Version -- Tristan Cacqueray OpenStack Vulnerability Management Team pgpIX5EJBfaxc.pgp Description

[Openstack] [OSSA-2018-001] Raw underlying encrypted volume access (CVE-2017-18191)

pad.net/bugs/1739593 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18191 Notes ~ - Pike and Ocata patches disable encrypted volume swapping, this feature is now only supported in Nova version >= 17.0.0. -- Tristan Cacqueray OpenStack Vulnerability Management Team pgpYVP6CazoiT.