From ${URL} : OpenStack Security Advisory: 2014-019 CVE: CVE-2014-4167 Date: June 18, 2014 Title: Neutron L3-agent DoS through IPv6 subnet Reporter: Thiago Martins (HP) Products: Neutron Versions: up to 2013.2.3, and 2014.1 Description: Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 addresses from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected. Juno (development branch) fix: https://review.openstack.org/88584 Icehouse fix: https://review.openstack.org/95938 Havana fix: https://review.openstack.org/95939 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4167 https://launchpad.net/bugs/1309195 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
This patch is already merged into neutron-2014.1.1.ebuild. The version which did / does take the patch, neutron-2014.1-r2, was purged from portage 3 days before this submitted. *neutron-2014.1.1 (16 Jun 2014) 16 Jun 2014; Matthew Thode <prometheanfire@gentoo.org> +neutron-2014.1.1.ebuild, -files/2014.1-CVE-2014-0187.patch, -neutron-2014.1-r2.ebuild: 2014.1.1 bu(m)p In summary, the vulnerable version has been removed.
ya, it's already been released (as per https://launchpad.net/bugs/1309195 ) removing us from CC
Maintainer(s), Thank you for your work. No GLSA needed as there are no stable versions.
(In reply to Ian Delaney from comment #1) > This patch is already merged into neutron-2014.1.1.ebuild. The version > which did / does take the patch, neutron-2014.1-r2, was purged from portage > 3 days before this submitted. > > *neutron-2014.1.1 (16 Jun 2014) > > 16 Jun 2014; Matthew Thode <prometheanfire@gentoo.org> > +neutron-2014.1.1.ebuild, -files/2014.1-CVE-2014-0187.patch, > -neutron-2014.1-r2.ebuild: > 2014.1.1 bu(m)p > > In summary, the vulnerable version has been removed. How does the patch get into ebuild? http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-cluster/neutron/neutron-2014.1.1.ebuild?r1=1.2&r2=1.3 and correction of the sqlalchemy dep is questionable: https://github.com/openstack/neutron/commit/98bb06e4c50c2f41f7666b78847f5316e9b4d4e4
2014.1.1 isn't vulnerable, and the previous patch I removed I forgot to remove from the ebuild, really don't know how that happened. In any case I'll commit a fix in the morning, no revbump. Another security fix needs to go out soon :P
fixed kthnxbai
CVE-2014-4167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4167): The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router.