From ${URL} : OpenStack Security Advisory: 2014-024 CVE: CVE-2014-3517 Date: July 17, 2014 Title: Use of non-constant time comparison operation Reporter: Alex Gaynor (Rackspace) Products: Nova Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1 Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected. Juno (development branch) fix: https://review.openstack.org/107396 Icehouse https://review.openstack.org/107397 Havana https://review.openstack.org/107398 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3517 https://launchpad.net/bugs/1325128 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
you know, I fixed this a couple of hours ago right? :P sys-cluster/nova-2014.1.1-r1 has the fix removing myself
