Difference between revisions of "SecurityAdvisories/Havana"
(Created page with " = Havana Security Advisories = == Fixed in 2013.2.2 == See ReleaseNotes/2013.2.2 {| border="1" cellpadding="2" cellspacing="0" | Product | Date | Openstack Security Adv...") |
(→Fixed in 2013.2.1) |
||
Line 53: | Line 53: | ||
| Title | | Title | ||
| Impact | | Impact | ||
+ | |- | ||
+ | | Nova | ||
+ | | October 31, 2013 | ||
+ | | [http://lists.openstack.org/pipermail/openstack-announce/2013-October/000159.html 2013-029] | ||
+ | | [https://bugs.launchpad.net/nova/+bug/1206081 2013-4463 2013-4469] | ||
+ | | Potential Nova denial of service through compressed disk images | ||
+ | | | ||
+ | |- | ||
+ | | Nova | ||
+ | | December 11, 2013 | ||
+ | | [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000169.html 2013-033] | ||
+ | | [https://launchpad.net/bugs/1235450 2013-6419] | ||
+ | | Metadata queries from Neutron to Nova are not restricted by tenant | ||
+ | | | ||
+ | |- | ||
+ | | Keystone | ||
+ | | October 30, 2013 | ||
+ | | [http://lists.openstack.org/pipermail/openstack-announce/2013-October/000158.html 2013-028] | ||
+ | | [https://bugs.launchpad.net/keystone/+bug/1242855 2013-4477] | ||
+ | | Unintentional role granting with Keystone LDAP backend | ||
+ | | | ||
|- | |- | ||
| Keystone | | Keystone | ||
− | | | + | | December 11, 2013 |
− | | [] | + | | [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000168.html 2013-032] |
− | | [] | + | | [https://launchpad.net/bugs/1242597 2013-6391] |
+ | | Keystone trust circumvention through EC2-style tokens | ||
+ | | | ||
+ | |- | ||
+ | | Neutron | ||
+ | | December 11, 2013 | ||
+ | | [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000169.html 2013-033] | ||
+ | | [https://launchpad.net/bugs/1235450 2013-6419] | ||
+ | | Metadata queries from Neutron to Nova are not restricted by tenant | ||
+ | | | ||
+ | |- | ||
+ | | Horizon | ||
+ | | December 11, 2013 | ||
+ | | [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000173.html 2013-036] | ||
+ | | [https://launchpad.net/bugs/1247675 2013-6458] | ||
+ | | Insufficient sanitization of Instance Name in Horizon | ||
+ | | | ||
+ | |- | ||
+ | | Heat | ||
+ | | December 11, 2013 | ||
+ | | [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000171.html 2013-034] | ||
+ | | [https://launchpad.net/bugs/1256049 2013-6426] | ||
+ | | Heat CFN policy rules not all enforced | ||
+ | | | ||
+ | |- | ||
+ | | Heat | ||
+ | | December 11, 2013 | ||
+ | | [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000172.html 2013-035] | ||
+ | | [https://launchpad.net/bugs/1256983 2013-6428] | ||
+ | | Heat ReST API doesn't respect tenant scoping | ||
| | | | ||
+ | |- | ||
+ | | Ceilometer | ||
+ | | November 25, 2013 | ||
+ | | [http://lists.openstack.org/pipermail/openstack-announce/2013-November/000164.html 2013-031] | ||
+ | | [https://bugs.launchpad.net/ceilometer/+bug/1244476 2013-6384] | ||
+ | | Ceilometer DB2/MongoDB backend password leak | ||
| | | | ||
|} | |} |
Revision as of 13:25, 21 February 2014
Havana Security Advisories
Fixed in 2013.2.2
Product | Date | Openstack Security Advisory | CVE Number | Title | Impact |
Nova | December 18, 2013 | 2013-037 | 2013-6437 | Nova compute DoS through ephemeral disk backing files | |
Nova | January 13, 2013 | 2014-001 | 2013-7048 | Nova live snapshots use an insecure local directory | |
Nova | January 23, 2014 | 2014-003 | 2013-7130 | Live migration can leak root disk into ephemeral storage | |
Glance | February 12, 2014 | 2014-004 | 2014-1948 | Glance Swift store backend password leak |
Fixed in 2013.2.1
Product | Date | Openstack Security Advisory | CVE Number | Title | Impact |
Nova | October 31, 2013 | 2013-029 | 2013-4463 2013-4469 | Potential Nova denial of service through compressed disk images | |
Nova | December 11, 2013 | 2013-033 | 2013-6419 | Metadata queries from Neutron to Nova are not restricted by tenant | |
Keystone | October 30, 2013 | 2013-028 | 2013-4477 | Unintentional role granting with Keystone LDAP backend | |
Keystone | December 11, 2013 | 2013-032 | 2013-6391 | Keystone trust circumvention through EC2-style tokens | |
Neutron | December 11, 2013 | 2013-033 | 2013-6419 | Metadata queries from Neutron to Nova are not restricted by tenant | |
Horizon | December 11, 2013 | 2013-036 | 2013-6458 | Insufficient sanitization of Instance Name in Horizon | |
Heat | December 11, 2013 | 2013-034 | 2013-6426 | Heat CFN policy rules not all enforced | |
Heat | December 11, 2013 | 2013-035 | 2013-6428 | Heat ReST API doesn't respect tenant scoping | |
Ceilometer | November 25, 2013 | 2013-031 | 2013-6384 | Ceilometer DB2/MongoDB backend password leak |