Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 680864 (CVE-2019-9735) - <sys-cluster/neutron-13.0.3: Unsupported dport option prevents applying security groups
Summary: <sys-cluster/neutron-13.0.3: Unsupported dport option prevents applying secur...
Status: RESOLVED FIXED
Alias: CVE-2019-9735
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-18 15:54 UTC by Agostino Sarubbo
Modified: 2019-04-29 23:14 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-03-18 15:54:18 UTC 
From ${URL} :

=========================================================================
OSSA-2019-001: Unsupported dport option prevents applying security groups
=========================================================================

:Date: March 13, 2019
:CVE: CVE-2019-9735


Affects
~~~~~~~
- Neutron: <10.0.8, >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3


Description
~~~~~~~~~~~
Erik Olof Gunnar Andersson with Blizzard Entertainment reported a
vulnerability in Neutron's iptables firewall module. By setting a
destination port in a security group rule along with a protocol which
doesn't support that option (for example, VRRP), an authenticated user
may block further application of security group rules for instances
from any project/tenant on the compute hosts to which it's applied.
Only deployments using the iptables security group driver are
affected.


Patches
~~~~~~~
- https://review.openstack.org/640791 (Ocata)
- https://review.openstack.org/640790 (Pike)
- https://review.openstack.org/640702 (Queens)
- https://review.openstack.org/640685 (Rocky)
- https://review.openstack.org/640619 (Stein)


Credits
~~~~~~~
- Erik Olof Gunnar Andersson from Blizzard Entertainment (CVE-2019-9735)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1818385
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9735


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2019-04-29 23:05:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb3e22302fab7f9d4b5cb290e126458565ae2e34

commit cb3e22302fab7f9d4b5cb290e126458565ae2e34
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2019-04-29 23:05:12 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2019-04-29 23:05:27 +0000

    sys-cluster/neutron: 13.0.3 stable amd64/x86 with cleanup
    
    Bug: https://bugs.gentoo.org/680864
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 sys-cluster/neutron/Manifest                 |   3 -
 sys-cluster/neutron/neutron-13.0.2-r1.ebuild | 231 ---------------------------
 sys-cluster/neutron/neutron-13.0.3.ebuild    |   2 +-
 3 files changed, 1 insertion(+), 235 deletions(-)
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-29 23:06:42 UTC 
cleaned up, removing openstack/myself from cc, readd if needed