Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 570240 (CVE-2015-7944) - <app-emulation/ganeti-2.15.2-r5: multiple vulnerabilities (CVE-2015-{7944,7945})
Summary: <app-emulation/ganeti-2.15.2-r5: multiple vulnerabilities (CVE-2015-{7944,7945})
Status: RESOLVED FIXED
Alias: CVE-2015-7944
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-30 13:37 UTC by Agostino Sarubbo
Modified: 2016-12-02 08:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-12-30 13:37:18 UTC
From ${URL} :

Ganeti, an open source virtualization manager, suffers from multiple issues in
its RESTful control interface (RAPI).

The distributed replicated storage (DRBD) secret is leaked by the RAPI
interface when job results are requested. Leveraging on the knowledge of
this secret, a malicious user who had already gained access to the storage
network of the cluster can retrieve instance data more easily and reliably.

The RAPI interface is also vulnerable to a DoS condition, triggered via SSL
parameter renegotiation issued by a malicious client. The condition leads to
resource exhaustion on the master node.

Affected version:

Ganeti <=2.9.6, <=2.10.7, <=2.11.7, <=2.12.5, <=2.13.2, <=2.14.1, <=2.15.1

Fixed version:

Ganeti >=2.9.7, >=2.10.8, >=2.11.8, >=2.12.6, >=2.13.3, >=2.14.2, >=2.15.2

Credit: vulnerability reported by Pierre Kim <pierre [dot] kim [dot] sec [at] gmail [dot] com>.

CVE:

CVE-2015-7944 (DoS), CVE-2015-7945 (DRBD secret leak) 

Timeline:

2015-12-21: vulnerability report received
2015-12-24: contacted affected vendors
2015-12-30: advisory release

References:

http://downloads.ganeti.org/releases

Permalink:

http://www.ocert.org/advisories/ocert-2015-012.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-19 08:38:21 UTC
2.15.2 is in the tree.

@maintainers, bump for action.
Comment 2 Patrick McLean gentoo-dev 2016-03-19 21:47:55 UTC
2.15.2 is ready for stabilization
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-21 19:05:48 UTC
@ Arches,

please test and mark stable: =app-emulation/ganeti-2.15.2-r5
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-26 10:51:26 UTC
@chutzpah

Repoman complains because there are some missing stable packages. Could you provide a full list? thanks.
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-01 11:50:59 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-01 11:51:55 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-02 08:18:46 UTC
GLSA Vote: No