Jump to: navigation, search

Difference between revisions of "SecurityAdvisories/Folsom"

 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
__NOTOC__
+
 
 
= Folsom Security Advisories =
 
= Folsom Security Advisories =
 +
 +
== Fixed in 2012.2.4 ==
 +
 +
See [[ReleaseNotes/2012.2.4]]
 +
 +
{| border="1" cellpadding="2" cellspacing="0"
 +
| Product
 +
| Date
 +
| Openstack Security Advisory
 +
| CVE Number
 +
| Title
 +
| Impact
 +
|-
 +
| Keystone
 +
| February 5, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-February/000074.html 2013-003]
 +
| [https://bugs.launchpad.net/keystone/+bug/1098307 2013-0247]
 +
|  Keystone denial of service through invalid token requests
 +
 +
|-
 +
| Nova, Cinder, Keystone
 +
| February 19, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html 2013-004]
 +
| [https://bugs.launchpad.net/nova/+bug/1100282 2013-1664, 2013-1665]
 +
|  Information leak and Denial of Service using XML entities
 +
 +
|-
 +
| Keystone
 +
| February 19, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-February/000079.html 2013-005]
 +
| [https://bugs.launchpad.net/keystone/+bug/1121494 2013-0282]
 +
| Keystone EC2-style authentication accepts disabled user/tenants
 +
 +
|-
 +
| Nova
 +
| February 26, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-February/000082.html 2013-006]
 +
| [https://bugs.launchpad.net/nova/+bug/1125378 2013-0335]
 +
| VNC proxy can connect to the wrong VM
 +
 +
|-
 +
| Glance
 +
| March 14, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-March/000085.html 2013-007]
 +
| [https://bugs.launchpad.net/glance/+bug/1135541 2013-1840]
 +
| Backend credentials leak in Glance v1 API
 +
 +
|-
 +
| Nova
 +
| March 14, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-March/000086.html 2013-008]
 +
| [https://bugs.launchpad.net/nova/+bug/1125468 2013-1838]
 +
| Nova DoS by allocating all Fixed IPs
 +
 +
|-
 +
| Keystone
 +
| March 20, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-March/000087.html 2013-009]
 +
| [https://bugs.launchpad.net/keystone/folsom/+bug/1129713 2013-1865]
 +
| Keystone PKI tokens online validation bypasses revocation check
 +
 +
|}
 +
 +
== Fixed in 2012.2.3 ==
 +
 +
See [[ReleaseNotes/2012.2.3]]
  
 
{| border="1" cellpadding="2" cellspacing="0"
 
{| border="1" cellpadding="2" cellspacing="0"
Line 9: Line 75:
 
| Title
 
| Title
 
| Impact
 
| Impact
 +
|-
 +
| Nova
 +
| January 29, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-January/000070.html 2013-001]
 +
| [https://bugs.launchpad.net/nova/+bug/1069904 2013-0208]
 +
|  Boot from volume allows access to random volumes
 +
 +
|-
 +
| Glance
 +
| January 29, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-January/000071.html 2013-002]
 +
| [https://bugs.launchpad.net/glance/+bug/1098962 2013-0212]
 +
|  Backend password leak in Glance error message
 +
 
|}
 
|}
  

Latest revision as of 17:22, 10 May 2013

Folsom Security Advisories

Fixed in 2012.2.4

See ReleaseNotes/2012.2.4

Product Date Openstack Security Advisory CVE Number Title Impact
Keystone February 5, 2013 2013-003 2013-0247 Keystone denial of service through invalid token requests
Nova, Cinder, Keystone February 19, 2013 2013-004 2013-1664, 2013-1665 Information leak and Denial of Service using XML entities
Keystone February 19, 2013 2013-005 2013-0282 Keystone EC2-style authentication accepts disabled user/tenants
Nova February 26, 2013 2013-006 2013-0335 VNC proxy can connect to the wrong VM
Glance March 14, 2013 2013-007 2013-1840 Backend credentials leak in Glance v1 API
Nova March 14, 2013 2013-008 2013-1838 Nova DoS by allocating all Fixed IPs
Keystone March 20, 2013 2013-009 2013-1865 Keystone PKI tokens online validation bypasses revocation check

Fixed in 2012.2.3

See ReleaseNotes/2012.2.3

Product Date Openstack Security Advisory CVE Number Title Impact
Nova January 29, 2013 2013-001 2013-0208 Boot from volume allows access to random volumes
Glance January 29, 2013 2013-002 2013-0212 Backend password leak in Glance error message

Fixed in 2012.2.2

See ReleaseNotes/2012.2.2

Product Date Openstack Security Advisory CVE Number Title Impact
Nova December 11, 2012 2012-020 2012-5625 create_lvm_image allocates dirty blocks

Fixed in 2012.2.1

See ReleaseNotes/2012.2.1

Product Date Openstack Security Advisory CVE Number Title Impact
Keystone November 28, 2012 2012-019 2012-5563 Extension of token validity through token chaining
Keystone November 28, 2012 2012-018 2012-5571 EC2-style credentials invalidation issue
Glance November 7, 2012 2012-017 2012-4573 Authentication bypass for image deletion High
November 9, 2012 2012-017.1 2012-5482

Fixed in 2012.2

See ReleaseNotes/Folsom

Product Date Openstack Security Advisory CVE Number Title Impact
Keystone September 28, 2012 2012-05 2012-4456 Some actions in Keystone admin API do not validate token High
2012-4456