Grizzly Security Advisories
Fixed in 2013.1.5
See ReleaseNotes/2013.1.5
Product
|
Date
|
Openstack Security Advisory
|
CVE Number
|
Title
|
Impact
|
Nova
|
October 31, 2013
|
2013-029
|
2013-4463 2013-4469
|
Potential Nova denial of service through compressed disk images
|
|
Nova
|
November 14, 2013
|
2013-030
|
2013-4497
|
XenAPI security groups not kept through migrate or resize
|
|
Nova
|
December 11, 2013
|
2013-033
|
2013-6419
|
Metadata queries from Neutron to Nova are not restricted by tenant
|
|
Nova
|
December 18, 2013
|
2013-037
|
2013-6437
|
Nova compute DoS through ephemeral disk backing files
|
|
Nova
|
January 13, 2013
|
2014-001
|
2013-7048
|
Nova live snapshots use an insecure local directory
|
|
Nova
|
January 23, 2014
|
2014-003
|
2013-7130
|
Live migration can leak root disk into ephemeral storage
|
|
Keystone
|
October 30, 2013
|
2013-028
|
2013-4477
|
Unintentional role granting with Keystone LDAP backend
|
|
Keystone
|
December 11, 2013
|
2013-032
|
2013-6391
|
Keystone trust circumvention through EC2-style tokens
|
|
Keystone
|
March 04, 2014
|
2014-006
|
2014-2237
|
Trustee token revocation does not work with memcache backend
|
|
Networking
|
December 11, 2013
|
2013-033
|
2013-6419
|
Metadata queries from Neutron to Nova are not restricted by tenant
|
|
Horizon
|
December 11, 2013
|
2013-036
|
2013-6458
|
Insufficient sanitization of Instance Name in Horizon
|
|
Fixed in 2013.1.4
See ReleaseNotes/2013.1.4
Product
|
Date
|
Openstack Security Advisory
|
CVE Number
|
Title
|
Impact
|
Keystone
|
September 11, 2013
|
2013-025
|
2013-4294
|
PKI tokens are never revoked using memcache token backend
|
|
Nova
|
September 12, 2013
|
2013-026
|
2013-4261
|
Some sequence of characters in console-log can DoS nova-compute
|
|
Nova
|
August 28, 2013
|
2013-024
|
2013-4278
|
Resource limit circumvention in Nova private flavors
|
|
Glance
|
October 22, 2013
|
2013-027
|
2013-4428
|
'image_download' role in v2 causes traceback
|
|
Fixed in 2013.1.3
See ReleaseNotes/2013.1.3
Product
|
Date
|
Openstack Security Advisory
|
CVE Number
|
Title
|
Impact
|
Nova
|
August 6, 2013
|
2013-019
|
2013-2256
|
Resource limit circumvention in Nova private flavors
|
|
Nova
|
August 6, 2013
|
2013-020
|
2013-4185
|
Denial of Service in Nova network source security groups
|
|
Nova
|
August 8, 2013
|
2013-023
|
2013-4179
|
Denial of Service using XML entities in Nova extensions
|
|
Cinder
|
August 7, 2013
|
2013-021
|
2013-4183
|
Cinder LVM volume driver does not support secure deletion
|
|
Cinder
|
August 8, 2013
|
2013-023
|
2013-4202
|
Denial of Service using XML entities in Cinder extensions
|
|
Keystone
|
June 13, 2013
|
2013-015
|
2013-2157
|
Authentication bypass when using LDAP backend
|
|
Fixed in 2013.1.2
See ReleaseNotes/2013.1.2
Product
|
Date
|
Openstack Security Advisory
|
CVE Number
|
Title
|
Impact
|
Nova
|
May 16, 2013
|
2013-012
|
2013-2096
|
Nova fails to verify image virtual size
|
|
Fixed in 2013.1.1
See ReleaseNotes/2013.1.1
Product
|
Date
|
Openstack Security Advisory
|
CVE Number
|
Title
|
Impact
|
Keystone
|
May 9, 2013
|
2013-011
|
2013-2059
|
Keystone tokens not immediately invalidated when user is deleted
|
|
Nova
|
May 9, 2013
|
2013-010
|
2013-2030
|
Nova uses insecure keystone middleware tmpdir by default
|
|