Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 517306 (CVE-2014-3517) - <sys-cluster/nova-2014.1.1-r1: Use of non-constant time comparison operation (CVE-2014-3517) (OSSA 2014-024)
Summary: <sys-cluster/nova-2014.1.1-r1: Use of non-constant time comparison operation ...
Alias: CVE-2014-3517
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2014-07-17 08:47 UTC by Agostino Sarubbo
Modified: 2014-07-17 09:36 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-07-17 08:47:07 UTC
From ${URL} :

OpenStack Security Advisory: 2014-024
CVE: CVE-2014-3517
Date: July 17, 2014
Title: Use of non-constant time comparison operation
Reporter: Alex Gaynor (Rackspace)
Products: Nova
Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1

Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova.  
By analyzing response times to requests for instance metadata, an attacker 
may be able to guess a valid instance ID signature. This could allow access 
to important configuration details of another instance. Only setups 
configured to proxy metadata requests via Neutron are affected.

Juno (development branch) fix:



This fix will be included in the Juno-2 development milestone and in future 
2013.2.4 and 2014.1.2 releases


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-07-17 09:19:03 UTC
you know, I fixed this a couple of hours ago right? :P

sys-cluster/nova-2014.1.1-r1 has the fix

removing myself