| Summary: | <sys-cluster/neutron-2014.1.1: L3-agent DoS through IPv6 subnet (CVE-2014-4167) (OSSA 2014-019) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2014/06/18/10 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
This patch is already merged into neutron-2014.1.1.ebuild. The version which did / does take the patch, neutron-2014.1-r2, was purged from portage 3 days before this submitted. *neutron-2014.1.1 (16 Jun 2014) 16 Jun 2014; Matthew Thode <prometheanfire@gentoo.org> +neutron-2014.1.1.ebuild, -files/2014.1-CVE-2014-0187.patch, -neutron-2014.1-r2.ebuild: 2014.1.1 bu(m)p In summary, the vulnerable version has been removed. ya, it's already been released (as per https://launchpad.net/bugs/1309195 ) removing us from CC Maintainer(s), Thank you for your work. No GLSA needed as there are no stable versions. (In reply to Ian Delaney from comment #1) > This patch is already merged into neutron-2014.1.1.ebuild. The version > which did / does take the patch, neutron-2014.1-r2, was purged from portage > 3 days before this submitted. > > *neutron-2014.1.1 (16 Jun 2014) > > 16 Jun 2014; Matthew Thode <prometheanfire@gentoo.org> > +neutron-2014.1.1.ebuild, -files/2014.1-CVE-2014-0187.patch, > -neutron-2014.1-r2.ebuild: > 2014.1.1 bu(m)p > > In summary, the vulnerable version has been removed. How does the patch get into ebuild? http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-cluster/neutron/neutron-2014.1.1.ebuild?r1=1.2&r2=1.3 and correction of the sqlalchemy dep is questionable: https://github.com/openstack/neutron/commit/98bb06e4c50c2f41f7666b78847f5316e9b4d4e4 2014.1.1 isn't vulnerable, and the previous patch I removed I forgot to remove from the ebuild, really don't know how that happened. In any case I'll commit a fix in the morning, no revbump. Another security fix needs to go out soon :P fixed kthnxbai CVE-2014-4167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4167): The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router. |
From ${URL} : OpenStack Security Advisory: 2014-019 CVE: CVE-2014-4167 Date: June 18, 2014 Title: Neutron L3-agent DoS through IPv6 subnet Reporter: Thiago Martins (HP) Products: Neutron Versions: up to 2013.2.3, and 2014.1 Description: Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 addresses from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected. Juno (development branch) fix: https://review.openstack.org/88584 Icehouse fix: https://review.openstack.org/95938 Havana fix: https://review.openstack.org/95939 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4167 https://launchpad.net/bugs/1309195 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.