Jump to: navigation, search

Difference between revisions of "SecurityAdvisories/Havana"

(Created page with " = Havana Security Advisories = == Fixed in 2013.2.2 == See ReleaseNotes/2013.2.2 {| border="1" cellpadding="2" cellspacing="0" | Product | Date | Openstack Security Adv...")
 
(Havana Security Advisories)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
  
 
= Havana Security Advisories =
 
= Havana Security Advisories =
 +
== Fixed in 2013.2.3 ==
 +
 +
See [[ReleaseNotes/2013.2.3]]
 +
 +
{| border="1" cellpadding="2" cellspacing="0"
 +
| Product
 +
| Date
 +
| Openstack Security Advisory
 +
| CVE Number
 +
| Title
 +
| Impact
 +
|-
 +
| Nova
 +
| March 27, 2014
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2014-March/000213.html 2014-009]
 +
| [https://bugs.launchpad.net/nova/+bug/1221190 2014-0134]
 +
|  Nova host data leak to vm instance in rescue mode
 +
 +
|-
 +
| Neutron
 +
| March 27, 2014
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2014-March/000212.html 2014-008]
 +
| [https://bugs.launchpad.net/neutron/+bug/1243327 2014-0056]
 +
|  Routers can be cross plugged by other tenants
 +
 +
|-
 +
| Keystone
 +
| March 27, 2014
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2014-March/000204.html 2014-006]
 +
| [https://bugs.launchpad.net/keystone/+bug/1260080 2014-2237]
 +
|  Trustee token revocation does not work with memcache backend
 +
 +
|}
 +
 +
 +
 +
 
== Fixed in 2013.2.2 ==
 
== Fixed in 2013.2.2 ==
  
Line 53: Line 90:
 
| Title
 
| Title
 
| Impact
 
| Impact
 +
|-
 +
| Nova
 +
| October 31, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-October/000159.html 2013-029]
 +
| [https://bugs.launchpad.net/nova/+bug/1206081 2013-4463 2013-4469]
 +
|  Potential Nova denial of service through compressed disk images
 +
 +
|-
 +
| Nova
 +
| December 11, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000169.html 2013-033]
 +
| [https://launchpad.net/bugs/1235450 2013-6419]
 +
|  Metadata queries from Neutron to Nova are not restricted by tenant
 +
 +
|-
 +
| Keystone
 +
| October 30, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-October/000158.html 2013-028]
 +
| [https://bugs.launchpad.net/keystone/+bug/1242855 2013-4477]
 +
|  Unintentional role granting with Keystone LDAP backend
 +
 
|-
 
|-
 
| Keystone
 
| Keystone
|  
+
| December 11, 2013
| []
+
| [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000168.html 2013-032]
| []
+
| [https://launchpad.net/bugs/1242597 2013-6391]
 +
|  Keystone trust circumvention through EC2-style tokens
 +
 +
|-
 +
| Neutron
 +
| December 11, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000169.html 2013-033]
 +
| [https://launchpad.net/bugs/1235450 2013-6419]
 +
|  Metadata queries from Neutron to Nova are not restricted by tenant
 +
 +
|-
 +
| Horizon
 +
| December 11, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000173.html 2013-036]
 +
| [https://launchpad.net/bugs/1247675 2013-6458]
 +
|  Insufficient sanitization of Instance Name in Horizon
 +
 +
|-
 +
| Heat
 +
| December 11, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000171.html 2013-034]
 +
| [https://launchpad.net/bugs/1256049 2013-6426]
 +
|  Heat CFN policy rules not all enforced
 
|   
 
|   
 +
|-
 +
| Heat
 +
| December 11, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-December/000172.html 2013-035]
 +
| [https://launchpad.net/bugs/1256983 2013-6428]
 +
|  Heat ReST API doesn't respect tenant scoping
 +
 +
|-
 +
| Ceilometer
 +
| November 25, 2013
 +
| [http://lists.openstack.org/pipermail/openstack-announce/2013-November/000164.html 2013-031]
 +
| [https://bugs.launchpad.net/ceilometer/+bug/1244476 2013-6384]
 +
|  Ceilometer DB2/MongoDB backend password leak
 
|   
 
|   
 
|}
 
|}

Latest revision as of 20:04, 3 April 2014

Havana Security Advisories

Fixed in 2013.2.3

See ReleaseNotes/2013.2.3

Product Date Openstack Security Advisory CVE Number Title Impact
Nova March 27, 2014 2014-009 2014-0134 Nova host data leak to vm instance in rescue mode
Neutron March 27, 2014 2014-008 2014-0056 Routers can be cross plugged by other tenants
Keystone March 27, 2014 2014-006 2014-2237 Trustee token revocation does not work with memcache backend



Fixed in 2013.2.2

See ReleaseNotes/2013.2.2

Product Date Openstack Security Advisory CVE Number Title Impact
Nova December 18, 2013 2013-037 2013-6437 Nova compute DoS through ephemeral disk backing files
Nova January 13, 2013 2014-001 2013-7048 Nova live snapshots use an insecure local directory
Nova January 23, 2014 2014-003 2013-7130 Live migration can leak root disk into ephemeral storage
Glance February 12, 2014 2014-004 2014-1948 Glance Swift store backend password leak

Fixed in 2013.2.1

See ReleaseNotes/2013.2.1

Product Date Openstack Security Advisory CVE Number Title Impact
Nova October 31, 2013 2013-029 2013-4463 2013-4469 Potential Nova denial of service through compressed disk images
Nova December 11, 2013 2013-033 2013-6419 Metadata queries from Neutron to Nova are not restricted by tenant
Keystone October 30, 2013 2013-028 2013-4477 Unintentional role granting with Keystone LDAP backend
Keystone December 11, 2013 2013-032 2013-6391 Keystone trust circumvention through EC2-style tokens
Neutron December 11, 2013 2013-033 2013-6419 Metadata queries from Neutron to Nova are not restricted by tenant
Horizon December 11, 2013 2013-036 2013-6458 Insufficient sanitization of Instance Name in Horizon
Heat December 11, 2013 2013-034 2013-6426 Heat CFN policy rules not all enforced
Heat December 11, 2013 2013-035 2013-6428 Heat ReST API doesn't respect tenant scoping
Ceilometer November 25, 2013 2013-031 2013-6384 Ceilometer DB2/MongoDB backend password leak
Retrieved from "https://wiki.openstack.org/w/index.php?title=SecurityAdvisories/Havana&oldid=47696"