Jump to: navigation, search

SecurityAdvisories/Grizzly

Grizzly Security Advisories

Fixed in 2013.1.5

See ReleaseNotes/2013.1.5

Product Date Openstack Security Advisory CVE Number Title Impact
Nova October 31, 2013 2013-029 2013-4463 2013-4469 Potential Nova denial of service through compressed disk images
Nova November 14, 2013 2013-030 2013-4497 XenAPI security groups not kept through migrate or resize
Nova December 11, 2013 2013-033 2013-6419 Metadata queries from Neutron to Nova are not restricted by tenant
Nova December 18, 2013 2013-037 2013-6437 Nova compute DoS through ephemeral disk backing files
Nova January 13, 2013 2014-001 2013-7048 Nova live snapshots use an insecure local directory
Nova January 23, 2014 2014-003 2013-7130 Live migration can leak root disk into ephemeral storage
Keystone October 30, 2013 2013-028 2013-4477 Unintentional role granting with Keystone LDAP backend
Keystone December 11, 2013 2013-032 2013-6391 Keystone trust circumvention through EC2-style tokens
Keystone March 04, 2014 2014-006 2014-2237 Trustee token revocation does not work with memcache backend
Networking December 11, 2013 2013-033 2013-6419 Metadata queries from Neutron to Nova are not restricted by tenant
Horizon December 11, 2013 2013-036 2013-6458 Insufficient sanitization of Instance Name in Horizon

Fixed in 2013.1.4

See ReleaseNotes/2013.1.4

Product Date Openstack Security Advisory CVE Number Title Impact
Keystone September 11, 2013 2013-025 2013-4294 PKI tokens are never revoked using memcache token backend
Nova September 12, 2013 2013-026 2013-4261 Some sequence of characters in console-log can DoS nova-compute
Nova August 28, 2013 2013-024 2013-4278 Resource limit circumvention in Nova private flavors
Glance October 22, 2013 2013-027 2013-4428 'image_download' role in v2 causes traceback

Fixed in 2013.1.3

See ReleaseNotes/2013.1.3

Product Date Openstack Security Advisory CVE Number Title Impact
Nova August 6, 2013 2013-019 2013-2256 Resource limit circumvention in Nova private flavors
Nova August 6, 2013 2013-020 2013-4185 Denial of Service in Nova network source security groups
Nova August 8, 2013 2013-023 2013-4179 Denial of Service using XML entities in Nova extensions
Cinder August 7, 2013 2013-021 2013-4183 Cinder LVM volume driver does not support secure deletion
Cinder August 8, 2013 2013-023 2013-4202 Denial of Service using XML entities in Cinder extensions
Keystone June 13, 2013 2013-015 2013-2157 Authentication bypass when using LDAP backend

Fixed in 2013.1.2

See ReleaseNotes/2013.1.2

Product Date Openstack Security Advisory CVE Number Title Impact
Nova May 16, 2013 2013-012 2013-2096 Nova fails to verify image virtual size

Fixed in 2013.1.1

See ReleaseNotes/2013.1.1

Product Date Openstack Security Advisory CVE Number Title Impact
Keystone May 9, 2013 2013-011 2013-2059 Keystone tokens not immediately invalidated when user is deleted
Nova May 9, 2013 2013-010 2013-2030 Nova uses insecure keystone middleware tmpdir by default