Thanks Kevin. In that case I've tagged it as a security hardening
opportunity (removes a foot-cannon), and switched the advisory task to
won't-fix.
** Information type changed from Public Security to Public
** Changed in: ossa
Status: Incomplete = Won't Fix
** Tags added: security
--
** Summary changed:
- Race condition in VNC port allocation when spawning a instance on VMware
(CVE-2014-8750)
+ [oss-security] [OSSA 2014-035] Nova VMware driver may connect VNC to another
tenant's console (CVE-2014-8750)
** Changed in: ossa
Status: Fix Committed = Fix Released
--
** Also affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1379201
Title:
openvswitch-datapath-dkms 1.4.6-0ubuntu1.12.04.3:
Switched the bug to public and marked the security advisory task wontfix
based on the above explanation.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete = Won't Fix
--
You received this bug notification because you are a member of
Could this behavior be controlled by a would-be attacker, or is it only
up to random chance? If the former then like bug 1058077/bug 1125378 the
VMT would likely deem it a security vulnerability. If the latter like
bug 1255609 we would most probably not.
** Also affects: ossa
Importance:
This only affects juno right? (Those changes are only in the master
branch?) Just confirming we don't need an advisory for any released
versions.
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New = Incomplete
--
You received this bug
** Information type changed from Private Security to Public
** Tags added: security
** Changed in: ossa
Status: New = Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
Public bug reported:
This request failed:
http://logs.openstack.org/12/123112/1/check/check-tempest-dsvm-neutron-
full/cdb7110/logs/screen-n-api.txt.gz#_2014-09-22_14_16_01_028
2014-09-22 14:16:01.028 DEBUG nova.api.openstack.wsgi
[req-bb64d882-d91e-4bff-9407-19277208e277
** Project changed: openstack-ci = nova
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1368773
Title:
nova.api.openstack.compute.pluginlibvir: error : internal error
I've marked the OSSA task as won't fix to indicate this issue isn't
one for which the project vulnerability management team would publish a
coordinated security advisory, as the conditions by which it is
triggered do not seem to be under direct control of a malicious actor
but rather one of volume
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New = Incomplete
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
Got it. We use security bugs (whether private or public) to track
vulnerabilities, and use normal public bugs with the security tag for
hardening tasks.
** Tags added: security
** Information type changed from Public Security to Public
** Changed in: ossa
Status: Incomplete = Won't Fix
Can you explain what led you to conclude this is a security
vulnerability?
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New = Incomplete
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is
** Information type changed from Public Security to Public
** No longer affects: ossa
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1347318
Title:
Revocation events don't handle
*** This bug is a duplicate of bug 1284718 ***
https://bugs.launchpad.net/bugs/1284718
** Information type changed from Private Security to Public
** This bug has been marked a duplicate of bug 1284718
interface-attach to external network a) works and b) results in undeletable
instances
** Tags added: security
** No longer affects: ossa
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1163569
Title:
security
After discussing with Andrew and Thierry, I'm convinced that the
potential behavior change introduced by a backport of that mitigating
commit, when weighed against the amount of social engineering needed to
exploit this in Havana, means this bug is probably better just
documented as a known
Removing OSSA task since we don't need an advisory (non-exploitable).
** No longer affects: ossa
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1331092
Title:
FlatDHCP
** Information type changed from Public Security to Public
** Tags added: security
** No longer affects: ossa
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1319640
** Summary changed:
- nova rescue doesn't put VM into RESCUE status on vmware (CVE-2014-2573)
+ [OSSA 2014-017] nova rescue doesn't put VM into RESCUE status on vmware
(CVE-2014-2573)
** Changed in: ossa
Status: Fix Committed = Fix Released
--
You received this bug notification because
Since you mention this may be a security vulnerability (potential denial
of service attack) in a supported release, I've switched the bug from
public to public security and added an OSSA task in case it warrants an
advisory.
** Information type changed from Public to Public Security
** Also
** Also affects: openstack-chef
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1319319
Title:
The web server allows the
No idea why this was opened against the project for our developer
community infrastructure--relocating to neutron.
** Project changed: openstack-ci = neutron
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
Great--thanks Nachi!
** Information type changed from Public Security to Public
** No longer affects: ossa
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1112912
Title:
Switched to public following discussion with Mark.
** Information type changed from Private Security to Public
** Tags added: security
** Changed in: ossa
Status: Incomplete = Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is
** Changed in: ossa
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1275062
Title:
[OSSA 2014-004] sensitive info in image location is logged
The ipaddr failure seems to have probably been an issue with
pypi.python.org. That log is for a change to gantt, which does not
currently use the restrictive http://pypi.openstack.org/openstack/
mirror. If it should do so, add it to
openstack/requirements:projects.txt (it will also get
** Also affects: marconi
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1277507
Title:
ImportError: No module named passlib.hash
Status in
** Also affects: gantt
Importance: Undecided
Status: New
** Also affects: oslo
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
Seems to have been fixed in grenade.
** Changed in: openstack-ci
Status: New = Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1259907
Title:
I believe the log error checker resides in the tempest repository.
** Project changed: openstack-ci = tempest
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1260015
Title:
PKI token
** Project changed: openstack-ci = keystone
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1260723
Title:
Invalid OpenStack Nova credentials.
Status in OpenStack Identity (Keystone):
** Also affects: openstack-ci
Importance: Undecided
Status: New
** Changed in: openstack-ci
Status: New = In Progress
** Changed in: openstack-ci
Importance: Undecided = Critical
** Changed in: openstack-ci
Assignee: (unassigned) = Jeremy Stanley (fungi)
** Changed
** Also affects: nova
Importance: Undecided
Status: New
** Changed in: openstack-ci
Status: New = Incomplete
** Tags added: gate-failure
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
** Changed in: ossa
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1235450
Title:
[OSSA 2013-033] Metadata queries from Neutron to Nova are
Bug is now a public non-vulnerability, tagged as security hardening, no
advisory. Thanks!
** Information type changed from Private Security to Public
** Tags added: security
** Changed in: ossa
Status: Incomplete = Invalid
--
You received this bug notification because you are a member
** Changed in: ossa
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1247675
Title:
[OSSA 2013-036] Insufficient
** Changed in: ossa
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1242597
Title:
[OSSA 2013-032] Keystone trust circumvention through
Mis-filed. Switching from openstack-ci (developer tools, continuous
integration and service hosting) to nova (cloud computing fabric
controller).
** Project changed: openstack-ci = nova
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is
Marking invalid on infrastructure since this is something which has to
be fixed within the affected projects.
** Changed in: openstack-ci
Status: New = Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete = Invalid
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete = Invalid
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete = Invalid
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
** No longer affects: openstack-ci
** Changed in: glance
Status: New = Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1247194
Title:
Jenkins fails due to
This is dying somewhere in the middle of a devstack setup while running
commands via the quantumclient compat wrapper, and is only affecting
stable as far as we've seen, so I'm pretty confident the issue is not on
the infrastructure itself. Probably quantumclient, neutron or at worst
devstack...
Yes, I agree in this case it doesn't sound like any actual security
vulnerability was being addressed by that module, so no OSSA warranted.
** Changed in: ossa
Status: Incomplete = Invalid
** Information type changed from Public Security to Public
** Tags added: security
--
You
** Changed in: ossa
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1184041
Title:
[OSSA 2013-020] Denial of Service in Nova
** Changed in: ossa
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1194093
Title:
[OSSA 2013-019] Resource limit
** Changed in: ceilometer
Status: In Progress = Invalid
** Changed in: cinder
Status: In Progress = Invalid
** Changed in: ironic
Status: In Progress = Invalid
** Changed in: keystone
Status: In Progress = Invalid
** Changed in: nova
Status: In Progress =
Abandoned that change. Apparently it should now be possible to simply
uncap requests since we've started doing a pip install -U to work around
the previoys site packages related breakage. I'll propose that revert to
nova instead and see how it fares.
** Changed in: openstack-ci
Status: In
I've bumped into the same error in a couple of grenade runs... possibly
related?
http://logs.openstack.org/32346/1/check/gate-grenade-devstack-vm/9021/console.html.gz
http://logs.openstack.org/32002/3/check/gate-grenade-devstack-vm/9450/console.html.gz
** Changed in: nova
Status: Invalid
This was fixed in a commit appearing in the unversioned EOL tag.
** Changed in: nova/essex
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
*** This bug is a duplicate of bug 1004114 ***
https://bugs.launchpad.net/bugs/1004114
I think this is one of the facets of the debug-level credential logging
which is being solved several ways in different places? Marking as a
duplicate of bug 1004114 but readjust if this is separate.
**
The switch from quantal to precise slaves took place yesterday without
incident, so this regression is no longer present.
** Changed in: openstack-ci
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is
We appreciate the heads up to CI on this issue since it's impacting
testing broadly across multiple projects, but it looks like it will need
to be fixed in the indivual projects using the pyparsing module so I'm
marking it invalid for CI.
** Changed in: openstack-ci
Status: New = Invalid
201 - 255 of 255 matches
Mail list logo