Difference between revisions of "SecurityAdvisories/Essex"
m (Text replace - "__NOTOC__" to "") |
|||
| (18 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | ||
= Essex Security Advisories = | = Essex Security Advisories = | ||
| + | |||
| + | == Fixed in 2012.1.3 == | ||
| + | |||
| + | See [[ReleaseNotes/2012.1.3]] | ||
{| border="1" cellpadding="2" cellspacing="0" | {| border="1" cellpadding="2" cellspacing="0" | ||
| Product | | Product | ||
| + | | Date | ||
| Openstack Security Advisory | | Openstack Security Advisory | ||
| CVE Number | | CVE Number | ||
| Line 10: | Line 15: | ||
|- | |- | ||
| Horizon | | Horizon | ||
| + | | August 30, 2012 | ||
| + | | [https://lists.launchpad.net/openstack/msg16278.html 2012-012] | ||
| + | | [https://bugs.launchpad.net/bugs/cve/2012-3540 2012-3540] | ||
| + | | Open redirect through 'next' parameter | ||
| + | | Medium | ||
| + | |- | ||
| + | | Keystone | ||
| + | | August 30, 2012 | ||
| + | | [https://lists.launchpad.net/openstack/msg16282.html 2012-013] | ||
| + | | [https://bugs.launchpad.net/bugs/cve/2012-3542 2012-3542] | ||
| + | | Lack of authorization for adding users to tenants | ||
| + | | Critical | ||
| + | |- | ||
| + | | Keystone | ||
| + | | September 12, 2012 | ||
| + | | [https://lists.launchpad.net/openstack/msg16659.html 2012-014] | ||
| + | | [https://bugs.launchpad.net/bugs/cve/2012-4413 2012-4413] | ||
| + | | Revoking a role does not affect existing tokens | ||
| + | | High | ||
| + | |} | ||
| + | |||
| + | == Fixed in 2012.1.2 == | ||
| + | |||
| + | See [[ReleaseNotes/2012.1.2]] | ||
| + | |||
| + | {| border="1" cellpadding="2" cellspacing="0" | ||
| + | | Product | ||
| + | | Date | ||
| + | | Openstack Security Advisory | ||
| + | | CVE Number | ||
| + | | Title | ||
| + | | Impact | ||
| + | |- | ||
| + | |rowspan=2 |Nova | ||
| + | |rowspan=2 |July 3, 2012 | ||
| + | |rowspan=2 |[https://lists.launchpad.net/openstack/msg14089.html 2012-008] | ||
| + | | [https://bugs.launchpad.net/bugs/cve/2012-3360 2012-3360] | ||
| + | |rowspan=2 |Arbitrary file injection/corruption through directory traversal issues | ||
| + | |rowspan=2 |Critical | ||
| + | |- | ||
| + | |- | ||
| + | | Nova | ||
| + | | July 11, 2012 | ||
| + | | [https://lists.launchpad.net/openstack/msg14452.html 2012-009] | ||
| + | | [https://bugs.launchpad.net/bugs/cve/2012-3371 2012-3371] | ||
| + | | Scheduler denial of service through scheduler_hints | ||
| + | | Medium | ||
| + | |- | ||
| + | | Nova | ||
| + | | August 7, 2012 | ||
| + | | [https://lists.launchpad.net/openstack/msg15549.html 2012-011] | ||
| + | | [https://bugs.launchpad.net/bugs/cve/2012-3447 2012-3447] | ||
| + | | Compute node filesystem injection/corruption | ||
| + | | Critical | ||
| + | |- | ||
| + | |rowspan=2 |Keystone | ||
| + | |rowspan=2 |September 28, 2012 | ||
| + | |rowspan=2 |[https://lists.launchpad.net/openstack/msg17034.html 2012-015] | ||
| + | | [https://bugs.launchpad.net/keystone/+bug/1006815 2012-4456] | ||
| + | |rowspan=2 |Some actions in Keystone admin API do not validate token | ||
| + | |rowspan=2 |High | ||
| + | |- | ||
| + | | [https://bugs.launchpad.net/keystone/+bug/1006822 2012-4456] | ||
| + | |- | ||
| + | | Keystone | ||
| + | | September 28, 2012 | ||
| + | | [https://lists.launchpad.net/openstack/msg17035.html 2012-016] | ||
| + | | [https://bugs.launchpad.net/keystone/+bug/988920 2012-4457] | ||
| + | | Token authorization for a user in a disabled tenant is allowed | ||
| + | | High | ||
| + | |} | ||
| + | |||
| + | == Fixed in 2012.1.1 == | ||
| + | |||
| + | See [[ReleaseNotes/2012.1.1]] | ||
| + | |||
| + | {| border="1" cellpadding="2" cellspacing="0" | ||
| + | | Product | ||
| + | | Date | ||
| + | | Openstack Security Advisory | ||
| + | | CVE Number | ||
| + | | Title | ||
| + | | Impact | ||
| + | |- | ||
| + | | Horizon | ||
| + | | April 17, 2012 | ||
| [https://lists.launchpad.net/openstack/msg10211.html 2012-004] | | [https://lists.launchpad.net/openstack/msg10211.html 2012-004] | ||
| − | | 2012-2094 | + | | [https://bugs.launchpad.net/bugs/cve/2012-2094 2012-2094] |
| XSS vulnerability in Horizon log viewer | | XSS vulnerability in Horizon log viewer | ||
| High | | High | ||
|- | |- | ||
| Nova | | Nova | ||
| + | | April 19, 2012 | ||
| [https://lists.launchpad.net/openstack/msg10268.html 2012-005] | | [https://lists.launchpad.net/openstack/msg10268.html 2012-005] | ||
| − | | 2012-2101 | + | | [https://bugs.launchpad.net/bugs/cve/2012-2101 2012-2101] |
| No quota enforced on security group rules | | No quota enforced on security group rules | ||
| High | | High | ||
|- | |- | ||
| Horizon | | Horizon | ||
| + | | May 4, 2012 | ||
| [https://lists.launchpad.net/openstack/msg11263.html 2012-006] | | [https://lists.launchpad.net/openstack/msg11263.html 2012-006] | ||
| − | | 2012-2144 | + | | [https://bugs.launchpad.net/bugs/cve/2012-2144 2012-2144] |
| Horizon session fixation and reuse | | Horizon session fixation and reuse | ||
| Critical | | Critical | ||
| + | |- | ||
| + | | Nova | ||
| + | | June 6, 2012 | ||
| + | | [https://lists.launchpad.net/openstack/msg12883.html 2012-007] | ||
| + | | [https://bugs.launchpad.net/bugs/cve/2012-2654 2012-2654] | ||
| + | | Security groups fail to be set correctly | ||
| + | | Medium | ||
| + | |- | ||
| + | |rowspan=3 |Keystone | ||
| + | |rowspan=3 |July 27, 2012 | ||
| + | |rowspan=3 |[https://lists.launchpad.net/openstack/msg15164.html 2012-010] | ||
| + | |rowspan=3 |[https://bugs.launchpad.net/bugs/cve/2012-3426 2012-3426] | ||
| + | |rowspan=3 |Various Keystone token expiration issues | ||
| + | |rowspan=3 |Medium | ||
| + | |- | ||
| + | |- | ||
Latest revision as of 23:30, 17 February 2013
Contents
Essex Security Advisories
Fixed in 2012.1.3
| Product | Date | Openstack Security Advisory | CVE Number | Title | Impact |
| Horizon | August 30, 2012 | 2012-012 | 2012-3540 | Open redirect through 'next' parameter | Medium |
| Keystone | August 30, 2012 | 2012-013 | 2012-3542 | Lack of authorization for adding users to tenants | Critical |
| Keystone | September 12, 2012 | 2012-014 | 2012-4413 | Revoking a role does not affect existing tokens | High |
Fixed in 2012.1.2
| Product | Date | Openstack Security Advisory | CVE Number | Title | Impact |
| Nova | July 3, 2012 | 2012-008 | 2012-3360 | Arbitrary file injection/corruption through directory traversal issues | Critical |
| Nova | July 11, 2012 | 2012-009 | 2012-3371 | Scheduler denial of service through scheduler_hints | Medium |
| Nova | August 7, 2012 | 2012-011 | 2012-3447 | Compute node filesystem injection/corruption | Critical |
| Keystone | September 28, 2012 | 2012-015 | 2012-4456 | Some actions in Keystone admin API do not validate token | High |
| 2012-4456 | |||||
| Keystone | September 28, 2012 | 2012-016 | 2012-4457 | Token authorization for a user in a disabled tenant is allowed | High |
Fixed in 2012.1.1
| Product | Date | Openstack Security Advisory | CVE Number | Title | Impact |
| Horizon | April 17, 2012 | 2012-004 | 2012-2094 | XSS vulnerability in Horizon log viewer | High |
| Nova | April 19, 2012 | 2012-005 | 2012-2101 | No quota enforced on security group rules | High |
| Horizon | May 4, 2012 | 2012-006 | 2012-2144 | Horizon session fixation and reuse | Critical |
| Nova | June 6, 2012 | 2012-007 | 2012-2654 | Security groups fail to be set correctly | Medium |
| Keystone | July 27, 2012 | 2012-010 | 2012-3426 | Various Keystone token expiration issues | Medium |
