Package: neutron Version: 2014.1.1-2 Severity: normal Tags: security patch pre-OSS announce below before my upload including upstream fix.
Title: Denial of Service in Neutron allowed address pair Reporter: Liping Mao (Cisco) Products: Neutron Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.1 Description: Liping Mao from Cisco reported a denial of service vulnerability in Neutron's handling of allowed address pair. By creating a large number of allowed address pairs, an authenticated user may overwhelm neutron firewall rules and render compute nodes unusable. All Neutron setups are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to stable/havana, stable/icehouse and master (Juno development branch) on the public disclosure date. CVE: CVE-2014-3555 Proposed public disclosure date/time: 2014-07-17, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Regards, Tristan Cacqueray OpenStack Vulnerability Management Team _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
