Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 559968 (CVE-2015-5240) - <sys-cluster/neutron-2015.1.1-r1: Neutron firewall rules bypass through port update (CVE-2015-5240)
Summary: <sys-cluster/neutron-2015.1.1-r1: Neutron firewall rules bypass through port ...
Status: RESOLVED FIXED
Alias: CVE-2015-5240
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://lists.openstack.org/pipermail/...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-08 14:57 UTC by Matthew Thode ( prometheanfire )
Modified: 2015-10-07 07:59 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-08 14:57:49 UTC
Title: Neutron firewall rules bypass through port update
Reporter: Kevin Benton (Mirantis)
Products: Neutron
Affects: versions through 2014.2.3 and 2015.1 versions through 2015.1.1

Description:
Kevin Benton from Mirantis reported a vulnerability in Neutron. By
changing the device owner of an instance's port right after it is
created, an authenticated user may prevent application of firewall rules
and so avoid IP anti-spoofing controls. All Neutron setups using the ML2
plugin or a plugin that relies on the security groups AMQP API are affected.

Reproducible: Always
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-08 14:58:48 UTC
arches, please stablize the following

=sys-cluster/neutron-2015.1.1-r1
Comment 2 Agostino Sarubbo gentoo-dev 2015-09-09 07:10:39 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-09-09 07:11:03 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-10 03:51:06 UTC
maintainer cleaned up
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-09-24 01:23:13 UTC
Maintainer(s), Thank you for you for cleanup.

GLSA Vote: No
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-07 07:59:09 UTC
GLSA Vote: No