| Summary: | <sys-cluster/nova-{2012.2.4-r8,2013.1.3-r5}: console-log DoS (CVE-2013-4261) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=999271 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Proposed patch upstream: https://review.openstack.org/#/c/43303/ oh, fixed in cvs, removing myself from cc 12 Sep 2013; Matthew Thode <prometheanfire@gentoo.org> +files/2012.2.4-CVE-2013-4278.patch, +files/2013.1.3-CVE-2013-4278.patch, +nova-2012.2.4-r8.ebuild, +nova-2013.1.3-r5.ebuild, -nova-2012.2.4-r7.ebuild, -nova-2013.1.3-r4.ebuild: fix for CVE-2013-4278 for bug 482144 Package was never stable, closing as noglsa CVE-2013-4261 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4261): OpenStack Compute (Nova) Folsom, Grizzly, and earlier, when using Apache Qpid for the RPC backend, does not properly handle errors that occur during messaging, which allows remote attackers to cause a denial of service (connection pool consumption), as demonstrated using multiple requests that send long strings to an instance console and retrieving the console log. |
From ${URL} : Jaroslav Henner (jhenner@redhat.com) reports: When console-log is run often enough, it seems to be causing death of nova-compute. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.