ReleaseNotes/2013.2.3
Release Notes, 2013.2.3
The 2013.2.3 release is a Havana bugfix update for OpenStack Compute (Nova), OpenStack Identity (Keystone), OpenStack Image Registry and Delivery Service (Glance), OpenStack Networking (Neutron), OpenStack Block Storage (Cinder), OpenStack Dashboard (Horizon), OpenStack Orchestration (Heat) and OpenStack Telemetry (Ceilometer).
The bugfixes contained in this release were backported from the development branches into a stable branch. The release is intended to be a low risk update with no intentional regressions or API changes.
Contents
Resolved Security Issues
OpenStack Identity (Keystone)
- OSSA 2014-006 / CVE-2014-2237 - Trustee token revocation does not work with memcache backend
OpenStack Compute (Nova)
- OSSA 2014-009 / CVE 2014-0134 - Nova host data leak to vm instance in rescue mode
OpenStack Networking (Neutron)
- OSSA 2014-008 / CVE 2014-0056 - Routers can be cross plugged by other tenants
Bugs Fixed
In total, 106 launchpad bugs are fixed by this update.
- List of OpenStack Compute (Nova) bugs fixed in the 2013.2.3 release
- List of OpenStack Identity (Keystone) bugs fixed in the 2013.2.3 release
- List of OpenStack Image Registry and Delivery Service (Glance) bugs fixed in the 2013.2.3 release
- List of OpenStack Networking (Neutron) bugs fixed in the 2013.2.3 release
- List of OpenStack Block Storage (Cinder) bugs fixed in the 2013.2.3 release
- List of OpenStack Dashboard (Horizon) bugs fixed in the 2013.2.3 release
- List of OpenStack Orchestration (Heat) bugs fixed in the 2013.2.3 release
- List of OpenStack Telemetry (Ceilometer) bugs fixed in the 2013.2.3 release
Known Issues and Limitations
Keystone
The use of the oauth2 Python library has been removed in Icehouse in favor of oauthlib. oauth2 is largely unmaintained upstream and contains unresolved security issues. However, it was determined that the required changes to Keystone stable/havana and its required dependencies did not fit the critieria for a potential backport. Instead, Havana users of Keystone's OAUTH extensions are encouraged to backport this change manually or rely on their vendors to do so. For more context, see the mailling list thread and patch.