George Shuklin from servers.com reported a vulnerability in Nova. By
rebuilding an instance, an authenticated user may be able to
circumvent the Filter Scheduler bypassing imposed filters (for
example, the ImagePropertiesFilter or the IsolatedHostsFilter). All
setups using Nova Filter Scheduler are affected.
- https://review.openstack.org/519684 (Newton)
- https://review.openstack.org/519681 (Ocata)
- https://review.openstack.org/519672 (Pike)
- https://review.openstack.org/519662 (Queens)
~ eleix (Security Padawan)
Reproducible: Didn't try
In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through 16.0.2, by rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected.
@Francis, thanks for the report. Also...preserving previous URL for reference:
@maintainter(s), after bump, please call for stabilization when ready, thank you.
Gentoo Security Padawa
Ya, I'm on the embargo list so have been waiting for it to become public. I tested right after it became public as well. The pike patch doesn't cleanly apply, but as soon as the patch merges upstream mriedem said he'd make a release, I'll package it then. The ocata patch does apply cleanly though, but I'd rather wait for the release and just get the fix from that.
Once the patches merge people can re-emerge 2017.1.9999 or 2017.2.9999 or wait for 15.0.8 or 16.0.3 to be packaged (which I'll ask for a quick stable on).
ok, can we get a fast stable req for the following, it has the fix.
=sys-cluster/nova-15.0.8 amd64 x86
=sys-cluster/nova-16.0.3 amd64 x86
commit b26270d896c39907eca945e2f79b4f6f0c0499ee seems to have handled this bug on: 2017-11-25 with note:
sys-cluster/nova: 15.0.8 and 16.0.3 bup for CVE-2017-16239 bug 637506
Any reason to keep this open still?
Ah, wrong paste date... actually it was on 2017-11-14
Tree is clean