Summary: | <sys-cluster/nova-{15.0.8,16.0.3}: Filter Scheduler bypass through rebuild action | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Francis Booth <boothf> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | openstack, prometheanfire |
Priority: | Low | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.launchpad.net/nova/+bug/1664931 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Francis Booth
2017-11-14 17:27:25 UTC
CVE-2017-16239(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16239): In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through 16.0.2, by rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected. @Francis, thanks for the report. Also...preserving previous URL for reference: http://www.openwall.com/lists/oss-security/2017/11/14/5 @maintainter(s), after bump, please call for stabilization when ready, thank you. Gentoo Security Padawa (jmbailey/mbailey_j) Ya, I'm on the embargo list so have been waiting for it to become public. I tested right after it became public as well. The pike patch doesn't cleanly apply, but as soon as the patch merges upstream mriedem said he'd make a release, I'll package it then. The ocata patch does apply cleanly though, but I'd rather wait for the release and just get the fix from that. Once the patches merge people can re-emerge 2017.1.9999 or 2017.2.9999 or wait for 15.0.8 or 16.0.3 to be packaged (which I'll ask for a quick stable on). ok, can we get a fast stable req for the following, it has the fix. =sys-cluster/nova-15.0.8 amd64 x86 =sys-cluster/nova-16.0.3 amd64 x86 @security ping! commit b26270d896c39907eca945e2f79b4f6f0c0499ee seems to have handled this bug on: 2017-11-25 with note: sys-cluster/nova: 15.0.8 and 16.0.3 bup for CVE-2017-16239 bug 637506 Any reason to keep this open still? Ah, wrong paste date... actually it was on 2017-11-14 Tree is clean |