Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 482148 (CVE-2013-4261) - <sys-cluster/nova-{2012.2.4-r8,2013.1.3-r5}: console-log DoS (CVE-2013-4261)
Summary: <sys-cluster/nova-{2012.2.4-r8,2013.1.3-r5}: console-log DoS (CVE-2013-4261)
Status: RESOLVED FIXED
Alias: CVE-2013-4261
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-22 20:26 UTC by Agostino Sarubbo
Modified: 2013-11-05 02:25 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-22 20:26:01 UTC
From ${URL} :

Jaroslav Henner (jhenner@redhat.com) reports:

When console-log is run often enough, it seems to be causing death of nova-compute.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Andrew Hamilton 2013-08-27 02:09:20 UTC
Proposed patch upstream: https://review.openstack.org/#/c/43303/
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-09-12 06:28:32 UTC
oh, fixed in cvs, removing myself from cc
Comment 3 Sergey Popov (RETIRED) gentoo-dev 2013-09-12 10:59:12 UTC
  12 Sep 2013; Matthew Thode <prometheanfire@gentoo.org>
  +files/2012.2.4-CVE-2013-4278.patch, +files/2013.1.3-CVE-2013-4278.patch,
  +nova-2012.2.4-r8.ebuild, +nova-2013.1.3-r5.ebuild, -nova-2012.2.4-r7.ebuild,
  -nova-2013.1.3-r4.ebuild:
  fix for CVE-2013-4278 for bug 482144

Package was never stable, closing as noglsa
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:25:07 UTC
CVE-2013-4261 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4261):
  OpenStack Compute (Nova) Folsom, Grizzly, and earlier, when using Apache
  Qpid for the RPC backend, does not properly handle errors that occur during
  messaging, which allows remote attackers to cause a denial of service
  (connection pool consumption), as demonstrated using multiple requests that
  send long strings to an instance console and retrieving the console log.