Difference between revisions of "ReleaseNotes/2013.2.4"
m (→Bugs Fixed) |
(→OpenStack Identity (Keystone)) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 8: | Line 8: | ||
== Resolved Security Issues == | == Resolved Security Issues == | ||
+ | |||
=== OpenStack Compute (Nova) === | === OpenStack Compute (Nova) === | ||
+ | * [http://lists.openstack.org/pipermail/openstack-announce/2014-April/000219.html OSSA 2014-011] / [https://launchpad.net/bugs/1290537 CVE-2014-0167] - RBAC policy not properly enforced in Nova EC2 API | ||
+ | * [http://lists.openstack.org/pipermail/openstack-announce/2014-May/000235.html OSSA 2014-017] / [https://launchpad.net/bugs/1269418 CVE-2014-2573] - Nova VMWare driver leaks rescued images | ||
+ | |||
=== OpenStack Identity (Keystone) === | === OpenStack Identity (Keystone) === | ||
+ | * [http://lists.openstack.org/pipermail/openstack-announce/2014-April/000221.html OSSA 2014-013] / [https://launchpad.net/bugs/1300274 CVE-2014-2828] - Keystone DoS through V3 API authentication chaining | ||
+ | * [http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html OSSA 2014-018] / [https://launchpad.net/bugs/1324592 CVE-2014-3476] - Keystone privilege escalation through trust chained delegation | ||
+ | |||
=== OpenStack Image Registry and Delivery Service (Glance) === | === OpenStack Image Registry and Delivery Service (Glance) === | ||
+ | * [http://lists.openstack.org/pipermail/openstack-announce/2014-April/000220.html OSSA 2014-012] / [https://launchpad.net/bugs/1298698 CVE-2014-0162] - Remote code execution in Glance Sheepdog backend | ||
+ | |||
=== OpenStack Networking (Neutron) === | === OpenStack Networking (Neutron) === | ||
− | + | * [http://lists.openstack.org/pipermail/openstack-announce/2014-March/000212.html OSSA 2014-008] / [https://bugs.launchpad.net/bugs/1243327 CVE-2014-0056] - Routers can be cross plugged by other tenants | |
+ | * [http://lists.openstack.org/pipermail/openstack-announce/2014-April/000227.html OSSA 2014-014] / [https://launchpad.net/bugs/1300785 CVE-2014-0187] - Neutron security groups bypass through invalid CIDR | ||
+ | * [http://lists.openstack.org/pipermail/openstack-announce/2014-June/000242.html OSSA 2014-019] / [https://launchpad.net/bugs/1309195 CVE-2014-4167] - Neutron L3-agent DoS through IPv6 subnet | ||
+ | |||
=== OpenStack Dashboard (Horizon) === | === OpenStack Dashboard (Horizon) === | ||
+ | * [http://lists.openstack.org/pipermail/openstack-announce/2014-April/000218.html OSSA 2014-010] / [https://launchpad.net/bugs/1289033 CVE-2014-0157] - XSS in Horizon orchestration dashboard | ||
+ | |||
=== OpenStack Orchestration (Heat) === | === OpenStack Orchestration (Heat) === | ||
− | + | * [http://lists.openstack.org/pipermail/openstack-announce/2014-May/000232.html OSSA 2014-016] / [https://launchpad.net/bugs/1311223 CVE-2014-3801] - Heat template URL information leakage | |
== Bugs Fixed == | == Bugs Fixed == | ||
Line 36: | Line 50: | ||
There is a known issue in all Havana releases that results in Neutron DHCP agent constantly resyncing its state once a network and a subnet | There is a known issue in all Havana releases that results in Neutron DHCP agent constantly resyncing its state once a network and a subnet | ||
is created with a gateway outside of it. To avoid this, users are encouraged to set force_gateway_on_subnet to True in neutron.conf. https://bugs.launchpad.net/neutron/+bug/1304181 | is created with a gateway outside of it. To avoid this, users are encouraged to set force_gateway_on_subnet to True in neutron.conf. https://bugs.launchpad.net/neutron/+bug/1304181 | ||
+ | |||
+ | [[Category:Releases]] | ||
+ | [[Category:Havana]] |
Latest revision as of 09:43, 30 September 2014
Release Notes, 2013.2.4
The 2013.2.4 release is a Havana bugfix update for OpenStack Compute (Nova), OpenStack Identity (Keystone), OpenStack Image Registry and Delivery Service (Glance), OpenStack Networking (Neutron), OpenStack Block Storage (Cinder), OpenStack Dashboard (Horizon), OpenStack Orchestration (Heat) and OpenStack Telemetry (Ceilometer). No further official Havana releases of these projects are planned.
The bugfixes contained in this release were backported from the development branches into a stable branch. The release is intended to be a low risk update with no intentional regressions or API changes.
Contents
Resolved Security Issues
OpenStack Compute (Nova)
- OSSA 2014-011 / CVE-2014-0167 - RBAC policy not properly enforced in Nova EC2 API
- OSSA 2014-017 / CVE-2014-2573 - Nova VMWare driver leaks rescued images
OpenStack Identity (Keystone)
- OSSA 2014-013 / CVE-2014-2828 - Keystone DoS through V3 API authentication chaining
- OSSA 2014-018 / CVE-2014-3476 - Keystone privilege escalation through trust chained delegation
OpenStack Image Registry and Delivery Service (Glance)
- OSSA 2014-012 / CVE-2014-0162 - Remote code execution in Glance Sheepdog backend
OpenStack Networking (Neutron)
- OSSA 2014-008 / CVE-2014-0056 - Routers can be cross plugged by other tenants
- OSSA 2014-014 / CVE-2014-0187 - Neutron security groups bypass through invalid CIDR
- OSSA 2014-019 / CVE-2014-4167 - Neutron L3-agent DoS through IPv6 subnet
OpenStack Dashboard (Horizon)
- OSSA 2014-010 / CVE-2014-0157 - XSS in Horizon orchestration dashboard
OpenStack Orchestration (Heat)
- OSSA 2014-016 / CVE-2014-3801 - Heat template URL information leakage
Bugs Fixed
In total, 180 launchpad bugs are fixed by this update.
- List of OpenStack Compute (Nova) bugs fixed in the 2013.2.4 release
- List of OpenStack Identity (Keystone) bugs fixed in the 2013.2.4 release
- List of OpenStack Image Registry and Delivery Service (Glance) bugs fixed in the 2013.2.4 release
- List of OpenStack Networking (Neutron) bugs fixed in the 2013.2.4 release
- List of OpenStack Block Storage (Cinder) bugs fixed in the 2013.2.4 release
- List of OpenStack Dashboard (Horizon) bugs fixed in the 2013.2.4 release
- List of OpenStack Orchestration (Heat) bugs fixed in the 2013.2.4 release
- List of OpenStack Telemetry (Ceilometer) bugs fixed in the 2013.2.4 release
Known Issues and Limitations
Neutron
There is a known issue in all Havana releases that results in Neutron DHCP agent constantly resyncing its state once a network and a subnet is created with a gateway outside of it. To avoid this, users are encouraged to set force_gateway_on_subnet to True in neutron.conf. https://bugs.launchpad.net/neutron/+bug/1304181