When switching a bug's type from Public to Public Security, please
clarify what about it leads you to suspect it represents an exploitable
vulnerability. I'm switching it back to a regular Public bug in the
meantime.
If this was triggered by the earlier mention of a use-after-free
condition, it
Please don't set OpenStack bugs to Public Security without some
explanation as to why you believe this to be an exploitable risk which
needs attention from the OpenStack vulnerability managers for
coordinating a possible security advisory. I'm switching this back to a
normal Public bug for now,
Slawek is one of the upstream Neutron developers. One of the Ubuntu
package maintainers will need to take care of Ubuntu's package updates.
It's probably mildly confusing that this bug report is marked as
affecting the upstream project (where it's been fixed for months) but
also the Ubuntu
I too am entirely out of my comfort zone with Javascript, so my level of
certainty is low, based solely on the text of CVE-2019-8331 which says
(all?) Bootstrap versions prior to 3.4.1 are affected. I also did not
check the rdepends for python3-xstatic-bootstrap-scss in Ubuntu and
perhaps
** Summary changed:
- Credentials API allows listing and retrieving of all users credentials
+ [OSSA-2019-006] Credentials API allows listing and retrieving of all users
credentials (CVE-2019-19687)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an
** Information type changed from Private to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533724
Title:
[SRU] keystone-signing folders fill /tmp and seriously slow down
reboots
To manage
Just to get confirmation, this bug was only introduced as of Stein,
right? It's not present in Rocky or earlier?
Gage, assuming the above is true, and if nobody has any other concerns
about your proposed impact description in comment #17, you can probably
go ahead and request a CVE assignment for
Somewhat of a grammar nit on the updated title, but it would be "every
user's" or "all users'" (placement of the apostrophe in possessive nouns
is significant for indicating plurality, and "every" modifies a singular
noun as opposed to "all" which modifies a plural). This nuance in the
English
Daniel, is there any organization you want credited along with you for
reporting this defect?
Gage, I think the use of "user's" in the title (copied from the report
itself) incorrectly suggests that a user only has access to credentials
for their own user rather than, as the description explains,
The OpenStack VMT will request a CVE assignment from MITRE once we agree
on a complete impact description for this report. If you're interested
in the details of our report handling processes, you can find them here:
https://security.openstack.org/vmt-process.html#process
** Description changed:
Since this has come up again in bug 1581977 as representing a security-
related concern, I'm adding the security bugtag to it for increased
visibility. Note this is not the same as treating it as a security
vulnerability, and I don't have the impression that any CVE assignment
or security advisory
** Changed in: ossa
Status: Confirmed => Fix Released
** Summary changed:
- [SRU] Unable to install new flows on compute nodes when having broken
security group rules (CVE-2019-10876)
+ [SRU] [OSSA-2019-002] Unable to install new flows on compute nodes when
having broken security group
In that case, as we expect stable/ocata is unaffected, the affects line
should be revised as follows:
Affects: >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Thanks Gage, your proposed impact description in comment #43 looks great
(modulo decisions on any stable/ocata backport altering the "affects"
line).
** Changed in: ossa
Status: Incomplete => Confirmed
** Changed in: ossa
Assignee: (unassigned) => Gage Hugo (gagehugo)
** Changed in:
I see backports to pike, queens, rocky and the stein release candidate
branches have been proposed according to
https://review.openstack.org/#/q/I17ab643abbd2ec21eda4ae1dfb9abf2d4b0657f2
and have been positively scored by some stable branch reviewers, so I'm
going to take that as a sign the
Thanks for the heads up, Joshua!
The OpenStack VMT is, in turn, waiting for the reporter, Neutron
reviewers or, well, anybody really to clarify the impact of this bug and
indicate whether a fix will be implemented in stable branches (per my
comment #35).
--
You received this bug notification
Is there a chance anyone's working on backporting
I17ab643abbd2ec21eda4ae1dfb9abf2d4b0657f2 upstream to stable/pike
through stable/rocky? Is the impact roughly similar in nature to
https://security.openstack.org/ossa/OSSA-2019-001.html or can someone
make an attempt at describing a viable exploit
Chris: I don't doubt that this could be a crippling incident, but you
say you took down your own cloud and did so accidentally... can you
provide a similar scenario where a non-admin user is able to
intentionally bring about the same result? That's mostly what I'm
looking for to be able to
Thanks! I'm mostly looking for an exploit scenario whereby a malicious
actor can intentionally cause harm/deny access to the operating
environment for other users. Absent this, we'd probably not bother to
issue a security advisory about it.
--
You received this bug notification because you are a
Is the denial of service concern that an authenticated user could
engineer a build failure (perhaps by attempting to boot an intentionally
corrupt image they uploaded) and perform that action repeatedly to cause
the environment to no longer to be able to schedule instances to any of
the hypervisor
A CVE can be requested by anyone for any defect. The OpenStack VMT
doesn't generally request CVEs for projects it doesn't oversee, but we
have a brief overview of what we'd generally recommend putting in
MITRE's CVE Request form documented at https://security.openstack.org
https://packages.ubuntu.com/bionic/gnocchi-api seems to indicate it's
coming straight through an import from Debian, where the current
OpenStack ecosystem is packaged to use only Python 3.x. This probably
makes it incompatible with the official Ubuntu OpenStack packaging which
still relies on
** Changed in: ossa
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1664931
Title:
[OSSA-2017-005] nova rebuild ignores all image properties and
This is fixed by the weather-util 2.3-2 source package in Artful, if
someone wants to attempt an SRU of that to Trusty and/or Xenial.
** Changed in: weather-util (Ubuntu)
Status: New => Fix Released
** Changed in: weather-util (Ubuntu)
Assignee: (unassigned) => Jeremy Stanley
This is fixed by the weather-util-data 2.3-1 package in Zesty, but that
version of weather-util contains a nasty Py3k incompatibility which is
fixed in the 2.3-2 package which just migrated to Debian testing today
and so should probably get auto-imported to Zesty soon (after which we
can think
This was fixed in the 2.3-1 upload to Debian/sid, subsequently imported
to Ubuntu/zesty.
** Changed in: weather-util (Ubuntu)
Assignee: (unassigned) => Jeremy Stanley (fungi)
** Changed in: weather-util (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notifi
** Summary changed:
- qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
+ [OSSA 2016-012] qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
** Changed in: ossa
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of
Status update: it looks like all Glance and Nova fixes have merged; so
too have the master and stable/newton changes for Cinder. At this point
we're waiting for https://review.openstack.org/375625 (Cinder's
stable/mitaka fix) to merge, and we don't seem to have a stable/liberty
backport for
Tristan: I'm still a little confused on the oslo.concurrency
recommendation. Are you saying that we should suggest stable/liberty and
stable/mitaka deployments to also use oslo.concurrency>=3.8.0? At the
moment the tips of stable/liberty and stable/mitaka branches for
oslo.concurrency are tagged
Hemanth, Daniel: So that means the current patches to Nova are
insufficient because they missed `qemu-image convert` invocations? For
example at
http://git.openstack.org/cgit/openstack/nova/tree/nova/virt/xenapi/vm_utils.py#n1128
Tristan: Thanks, it looked like oslo.concurrency got backports to
Following discussion with Sean and Hemanth, it looks like we ought to
get fixes for this into supported branches of Cinder and Glance after
all. Hopefully getting them merged goes quickly now that Nova has
already trodden this ground and the fixes are basically identical
between them.
Assuming
I'm resurrecting Grant's proposed impact description from comment #28
and updating for the year of time which has passed since. I've also
edited it to remove references to Cinder and Glance... are those
effectively still impacted in any supported branches? I see that the
tasks API in Glance
** Changed in: ossa
Status: Incomplete => In Progress
** Changed in: ossa
Assignee: (unassigned) => Jeremy Stanley (fungi)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1449062
Based on the thread at http://lists.openstack.org/pipermail/openstack-
dev/2016-September/104091.html we may need to figure out how to adjust
the messaging to indicate that it was a severe enough bug to fix in
stable/mitaka but that stable/liberty will be left unfixed.
** Changed in: ossa
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1376316
Title:
nova absolute-limits floating ip count is incorrect in a neutron based
Correct, we consider that latter case a "security hardening opportunity"
and I'm triaging this report as one now (class D in our taxonomy
https://security.openstack.org/vmt-process.html#incident-report-taxonomy
). Depending on severity and available time from editors in the Security
Team, these
Correct, we consider that latter case a "security hardening opportunity"
and I'm triaging this report as one now (class D in our taxonomy
https://security.openstack.org/vmt-process.html#incident-report-taxonomy
). Depending on severity and available time from editors in the Security
Team, these
It looks like bug 1514396 has been opened for the same issue in the V1
API.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to python-cinderclient in Ubuntu.
https://bugs.launchpad.net/bugs/1422046
Title:
cinder backup-list is always
It looks like bug 1514396 has been opened for the same issue in the V1
API.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1422046
Title:
cinder backup-list is always listing all tenants's bug for
While I agree there is a non-negligible risk presented by this behavior,
I don't see how a malicious actor could use this flaw to their
advantage. As such, it doesn't seem like something for which the
OpenStack Vulnerability Management Team would issue an official security
advisory.
--
You
Sounds like we're agreed that this report concerns a serious bug with
security implications (insofar as any means of accidentally destroying
your environment is), but is not an exploitable vulnerability, does not
need a CVE assignment requested by the VMT and won't lead to any
official security
While I agree there is a non-negligible risk presented by this behavior,
I don't see how a malicious actor could use this flaw to their
advantage. As such, it doesn't seem like something for which the
OpenStack Vulnerability Management Team would issue an official security
advisory.
--
You
Sounds like we're agreed that this report concerns a serious bug with
security implications (insofar as any means of accidentally destroying
your environment is), but is not an exploitable vulnerability, does not
need a CVE assignment requested by the VMT and won't lead to any
official security
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.
** Also affects: ossa
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.
** Also affects: ossa
Brian, was comment #5 a mis-update? This bug is about getting newer
Python 3.4 into Trusty, not a newer python-urllib3 module.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1348954
Title:
update
Based on E-mail discussion with Barry and Matthias, it sounds like the
plan now is to SRU MRE Python 3.4.3 into Trusty once it's available (due
out February 22, 2015 according to the official release schedule).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
Based on E-mail discussion with Barry and Matthias, it sounds like the
plan now is to SRU MRE Python 3.4.3 into Trusty once it's available (due
out February 22, 2015 according to the official release schedule).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
Based on E-mail discussion with Barry and Matthias, it sounds like the
plan now is to SRU MRE Python 3.4.3 into Trusty once it's available (due
out February 22, 2015 according to the official release schedule).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
It's now (UTC) Thursday.
** Changed in: ossa
Status: Incomplete = Won't Fix
** Tags added: security
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nova in Ubuntu.
It's now (UTC) Thursday.
** Changed in: ossa
Status: Incomplete = Won't Fix
** Tags added: security
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Agreed, this is class C2 (a vulnerability in some dependency, not in
OpenStack code, and so nothing we're going to fix with a patch to
OpenStack security supported projects nor anything for which we should
issue a security advisory). If there are no disagreements, I'll switch
this to a regular
Agreed, this is class C2 (a vulnerability in some dependency, not in
OpenStack code, and so nothing we're going to fix with a patch to
OpenStack security supported projects nor anything for which we should
issue a security advisory). If there are no disagreements, I'll switch
this to a regular
** Changed in: ossa
Assignee: hzxiongwenwu (xwwzzy) = (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/832507
Title:
console.log grows indefinitely
To manage
** Changed in: ossa
Assignee: hzxiongwenwu (xwwzzy) = (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/832507
Title:
console.log grows indefinitely
To manage notifications about
Is the plan to solve this in Trusty via bug 1348954 or to separately SRU
the upstream patch?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1367907
Title:
Segfault in gc with cyclic trash
To manage
Is there any chance we could get latest upstream 3.4 SRU'd soon? We're
tracking a couple of relatively serious regressions issues fixed
upstream but still present in Trusty. See bug 1367907 and bug 1382607
for details.
--
You received this bug notification because you are a member of Ubuntu
Is the plan to solve this in Trusty via bug 1348954 or to separately SRU
the upstream patch?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1382607
Title:
[SRU] Backport python3.4 logging module
I've confirmed that upgrading a Trusty/amd64 VM to the python3.4
packages in that PPA fixes the issue we observed running unit tests for
OpenStack's oslo.messaging project under that interpreter.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
** Also affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openvswitch in Ubuntu.
https://bugs.launchpad.net/bugs/1379201
Title:
openvswitch-datapath-dkms
** Also affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1379201
Title:
openvswitch-datapath-dkms 1.4.6-0ubuntu1.12.04.3: openvswitch
Public bug reported:
Trusty's pypy 2.2.1+dfsg-1 package seems to be affected by PyPy bugs
https://bitbucket.org/pypy/pypy/issue/1669 and
https://bitbucket.org/pypy/pypy/issue/1694/ (which are probably
duplicates manifesting in a couple ways). This bug is fixed in
** Tags added: gate-failure
** Changed in: openstack-ci
Status: New = Triaged
** Changed in: openstack-ci
Importance: Undecided = Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: git-review
Importance: Undecided = High
** Changed in: git-review
Assignee: (unassigned) = Matthieu Baerts (matttbe)
** Changed in: git-review
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
Seems there's consensus that this is not an exploitable vulnerability.
Also, the bug was originally, even if only very briefly, public when it
was first opened (thus broader exposure has already compromised any
effective embargo).
** Changed in: ossa
Status: Incomplete = Invalid
**
Seems there's consensus that this is not an exploitable vulnerability.
Also, the bug was originally, even if only very briefly, public when it
was first opened (thus broader exposure has already compromised any
effective embargo).
** Changed in: ossa
Status: Incomplete = Invalid
**
Note that we inadvertently tested libvirt from UCA on all our CI
infrastructure today and ran into bug 1266711 (probably related).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1228977
Title:
n-cpu
I got a few minutes to recreate the failing test run and tarred up the
screen-n-*.log files (attached) once it finished.
** Attachment added: Nova screen logs from failing tempest run
https://bugs.launchpad.net/nova/+bug/1228977/+attachment/3919446/+files/screen-n-logs.tar.xz
--
You
Adding the libvirt log as Chuck requested in IRC just now.
** Attachment added: libvirtd.log
https://bugs.launchpad.net/nova/+bug/1228977/+attachment/3919471/+files/libvirtd.log
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Worth noting, when running full tempest on an 8GB DevStack VM in both
Rackspace and HPCloud with Ubuntu Cloud Archive added to the sources
list, I get numerous job failures with corresponding repetitions of this
in the console:
Traceback (most recent call last):
File
Probably--I wasn't collecting logs, just confirming whether or not
gating is going to break if we reenable UCA. If nobody with nova
debugging experience or interest in using UCA/newer libvirt has time to
repeat that experiment, I can recreate it and find/attach the service
logs some time in the
** Also affects: pbr
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1245676
Title:
pip install pbr==0.5.22 fails unless run twice on ubuntu 12.04
To
I get a clean cacti_0.8.7i-2ubuntu1.1_all.deb via 'debuild -b -uc -us'
on an up to date precise VM with this debdiff applied, though lintian is
mildly displeased with your changelog.Debian addition...
Now running lintian...
W: cacti: debian-changelog-line-too-long line 4
W: cacti:
*** This bug is a security vulnerability ***
Public security bug reported:
The cacti source in Debian/sid as of today now addresses CVE-2013-1434
and CVE-2013-1435.
** Affects: cacti (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to
** No longer affects: git-review
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1193172
Title:
Populating Hyper-V MSR for Ubuntu 13.10
To manage notifications about this bug go to:
Upstream Sphinx issue report is at:
https://bitbucket.org/birkenfeld/sphinx/issue/998/docutils-010-will-
break-sphinx-manpage
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1069894
Title:
Sphinx
77 matches
Mail list logo
