nova: CVE-2013-4278: Incomplete fix for CVE-2013-2256

Debian Bug report logs - #720602
nova: CVE-2013-4278: Incomplete fix for CVE-2013-2256

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nova: CVE-2013-4278: Incomplete fix for CVE-2013-2256

Date: Fri, 23 Aug 2013 20:44:17 +0200

Package: nova
Version: 2013.1.2-3
Severity: grave
Tags: security upstream patch



*** /tmp/nova.reportbug
Package: nova
Severity: FILLINSEVERITY
Tags: security

Hi,

the following vulnerability was published for nova.

CVE-2013-4278[0]:
Nova private flavors resource limit circumvention

This is the CVE for the incomplete fix for previous CVE-2013-2256, see
bug #718905[1]. See furthermore [2] and patch for grizzly[3].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4278
    http://security-tracker.debian.org/tracker/CVE-2013-4278
[1] http://bugs.debian.org/718905
[2] https://bugs.launchpad.net/ossa/+bug/1212179
[3] https://review.openstack.org/#/c/43281/

Regards,
Salvatore

Message #10 received at 720602-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 720602-close@bugs.debian.org

Subject: Bug#720602: fixed in nova 2013.1.3-1

Date: Tue, 10 Sep 2013 13:34:27 +0000

Source: nova
Source-Version: 2013.1.3-1

We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 720602@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated nova package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Aug 2013 12:10:46 +0200
Source: nova
Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-uml nova-compute-xen nova-compute-qemu nova-compute-kvm nova-xcp-plugins nova-conductor nova-cert nova-scheduler nova-volume nova-api nova-network nova-console nova-consoleauth nova-doc nova-cells nova-baremetal nova-consoleproxy
Architecture: source all
Version: 2013.1.3-1
Distribution: unstable
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 nova-api   - OpenStack Compute - compute API frontend
 nova-baremetal - Openstack Compute - baremetal virt
 nova-cells - Openstack Compute - cells
 nova-cert  - OpenStack Compute - certificate manager
 nova-common - OpenStack Compute - common files
 nova-compute - OpenStack Compute - compute node
 nova-compute-kvm - OpenStack Compute - compute node (KVM)
 nova-compute-lxc - OpenStack Compute - compute node (LXC)
 nova-compute-qemu - OpenStack Compute - compute node (QEmu)
 nova-compute-uml - OpenStack Compute - compute node (UserModeLinux)
 nova-compute-xen - OpenStack Compute - compute node (Xen)
 nova-conductor - OpenStack Compute - conductor service
 nova-console - OpenStack Compute - console
 nova-consoleauth - OpenStack Compute - Console Authenticator
 nova-consoleproxy - OpenStack Compute - NoVNC proxy
 nova-doc   - OpenStack Compute - documentation
 nova-network - OpenStack Compute - network manager
 nova-scheduler - OpenStack Compute - virtual machine scheduler
 nova-volume - OpenStack Compute - storage metapackage
 nova-xcp-plugins - OpenStack Compute plugin for the Xen Cloud Platform
 python-nova - OpenStack Compute - libraries
Closes: 718710 718924 719138 720005 720315 720602 721039 721259
Changes: 
 nova (2013.1.3-1) unstable; urgency=low
 .
   * New upstream point release.
   * Fixed wrong chown in upstart script (sed s/Root/root/).
   * Adds new debconf template translations:
     - Brazilian Portuguese, thanks to Adriano Rafael Gomes (Closes: #718710).
     - Japanese, thanks to victory (Closes: #718924).
   * Debconf translation updates:
     - Danish, thanks to Joe Dalton (Closes: #720005).
     - Portuguese, thanks to the Traduz team (Closes: #720315).
     - Czech, thanks to Michal Šimůnek (Closes: #721039).
     - Russian, thanks to Yuri Kozlov (Closes: #721259).
   * Adds iproute to nova-common depends (Closes: #719138).
   * Removes Make-nova-api-use-servicegroup.API.service_is_up.patch applied
     upstream.
   * Removes CVE-2013-2256_Make_flavors_is_public_option_actually_work.patch
     now applied upstream.
   * Removes CVE-2013-4185_Use_cached_nwinfo_for_secgroup_rules.patch now
     applied upstream.
   * CVE-2013-4278: Applies upstream patch (Closes: #720602).
   * Added patch to fix Nova networking.
   * Removes the nova-xcp-plugins package until we have a working XCP again in
     testing.
Checksums-Sha1: 
 45a8905d8e3eff0e614724409bb02e7afd1db847 3645 nova_2013.1.3-1.dsc
 1157b90172f6644a865ef8b9e1025fb45ce55d5b 2482772 nova_2013.1.3.orig.tar.xz
 d16135290ea5d8a536dcf06aa72cff52bddc3856 73950 nova_2013.1.3-1.debian.tar.gz
 3f9259bbfec9a3ce6aa8255fb0805c93a1099eeb 1268358 python-nova_2013.1.3-1_all.deb
 869d0ff5d40aff704fdfefba6902ebe3186965e9 53806 nova-common_2013.1.3-1_all.deb
 3a5dbac8bf6eea25994b66012d0fdcc832047ae4 18804 nova-compute_2013.1.3-1_all.deb
 421336b1dcca128fb50506a5c54f5bd0c584a8f0 13468 nova-compute-lxc_2013.1.3-1_all.deb
 1493b037b2ef8ed1514eda58b62a2595fc747e85 13484 nova-compute-uml_2013.1.3-1_all.deb
 ab78495528d6fadc401b16b754f755068ad715ad 24520 nova-compute-xen_2013.1.3-1_all.deb
 9de897a867a1639b8340abad98f158655b13c0b1 13468 nova-compute-qemu_2013.1.3-1_all.deb
 a4e5afe18313c43628d1782fbee14c86a5c34825 13548 nova-compute-kvm_2013.1.3-1_all.deb
 bed47ca27f007b4ebe5f7d7feee1b755f92c24de 35446 nova-xcp-plugins_2013.1.3-1_all.deb
 a79abba918f20d54d039acd2c9d342d5a12d0fd4 16276 nova-conductor_2013.1.3-1_all.deb
 9adb172ac772dfc982c70cd0b0ef5306fb018d82 16388 nova-cert_2013.1.3-1_all.deb
 7059635db5c368d9978e02c1f03c80415f6cefe5 17910 nova-scheduler_2013.1.3-1_all.deb
 b6d582d7513326baee3bca104aa7371ff7d20b08 13120 nova-volume_2013.1.3-1_all.deb
 694d397aa0999eab2c56c13c33c6af3b2588a7f2 27064 nova-api_2013.1.3-1_all.deb
 0994c9ce08f28cf6bc536488b0111f7e5a5cb7a3 19552 nova-network_2013.1.3-1_all.deb
 00d0f655af3277e0219b0cb4be3a2c07933c9ade 16418 nova-console_2013.1.3-1_all.deb
 a0c1203c7000585dd0cc7c2b387729e2c79390a7 16164 nova-consoleauth_2013.1.3-1_all.deb
 8c4fe0c5a8663e9363aa5ada488448f4f941719d 2202238 nova-doc_2013.1.3-1_all.deb
 f0d51eb35bbb1a3fea74349f950165915508d11b 15404 nova-cells_2013.1.3-1_all.deb
 428d239950ebd37452efec09bd91d95c33753784 19766 nova-baremetal_2013.1.3-1_all.deb
 e82019b13e0009620d98d266f1f788feaf0b52dc 20940 nova-consoleproxy_2013.1.3-1_all.deb
Checksums-Sha256: 
 258b60773653da08dd679d63474361ee9faf761785cf7ebe39d1ac4e1e358e36 3645 nova_2013.1.3-1.dsc
 5ab5512458a513f3783aaab453f859173438c4376ecb7a4aeba33423b263dcb9 2482772 nova_2013.1.3.orig.tar.xz
 cba43164c0227fcf396894da893a02ed5c0d2c9e06382ad63c60e6001da1a95a 73950 nova_2013.1.3-1.debian.tar.gz
 d18be336b9a383e2e73c5dd606df4cc6523bc3e4ddc8151d9644117a0b8f2e06 1268358 python-nova_2013.1.3-1_all.deb
 d9bfec255e323a8aa3c4a859e0e8e6ef8fcb37c7520d09f454af8378ff435f8e 53806 nova-common_2013.1.3-1_all.deb
 bf69d6b69f2e6bf43ca2087143088b79d18eb9b4442ea4bdc587b9f57bc8a5c8 18804 nova-compute_2013.1.3-1_all.deb
 0c019ce90dfb81fb807834965392199a838a4db819d95d1e25ea122b1161010c 13468 nova-compute-lxc_2013.1.3-1_all.deb
 5e9895cab5f0b74968878d6db106798d5372ec3b720a4de5722955a11171c23e 13484 nova-compute-uml_2013.1.3-1_all.deb
 850673cc0b4793787110b4034782aa46b9a26537278285209ef3ea1916c98f48 24520 nova-compute-xen_2013.1.3-1_all.deb
 8bf894af9706ce17977aef92ad34cac2ff919fbc5950d47d39fd24a2fcbc40dc 13468 nova-compute-qemu_2013.1.3-1_all.deb
 18fcc2105dcaa9cb10fa419a2c2a678e4f62dbacc69a88e8abcb28f6607c7055 13548 nova-compute-kvm_2013.1.3-1_all.deb
 d6ac5d6d4664bd0aad05a9397c95cb76fc6c92bd317618573516d7b5e036fba9 35446 nova-xcp-plugins_2013.1.3-1_all.deb
 5574725710791eb459173b5103d37047a6f112fe2910d1eb566e254dfaf7f9b3 16276 nova-conductor_2013.1.3-1_all.deb
 409a235bc14ceb1cc37d4d5237e4fc6ed82de94d1ddde6e30d469d292384e4be 16388 nova-cert_2013.1.3-1_all.deb
 ffc209afcc4c71447aeab12a12a321de9bb2a7b2dc17fce2ee960416a94b84db 17910 nova-scheduler_2013.1.3-1_all.deb
 3728a957f4f1d4001ebf42432cb0e9227fbdf5fdbd96932938b8e46c05331869 13120 nova-volume_2013.1.3-1_all.deb
 b511d7d7c1d6ab3854f83bede8f71ca12d166cbc421ff0cea088988bd460ea5a 27064 nova-api_2013.1.3-1_all.deb
 7c7bc2952981954a990ffcba91b41cfcd9d6175b9c50448fb00cb0fc086af168 19552 nova-network_2013.1.3-1_all.deb
 8b31c0f6bd84eded662c08d1463648e3f61877e292c531d0c27d4f6f517527f5 16418 nova-console_2013.1.3-1_all.deb
 757208cda5b3456a68b76b4408dd2ddd9367344adf4a823704236f61041957c5 16164 nova-consoleauth_2013.1.3-1_all.deb
 8259831cc4b96deaddb6226b7e639cfef53307d223df34d6438c5f3f686e1d43 2202238 nova-doc_2013.1.3-1_all.deb
 ac8738803d54c701df8517ec6b3741acdb8baa2253ad3e930bf9e0a2d179ac70 15404 nova-cells_2013.1.3-1_all.deb
 47f6112905161c35d50df6f4f123a8d966d7559626a54f9eef03d3ea4c5c5925 19766 nova-baremetal_2013.1.3-1_all.deb
 750fe01f4105ce1f18482fd776a9564e66f754ee079881ebad7094ff2a0f59d8 20940 nova-consoleproxy_2013.1.3-1_all.deb
Files: 
 ef5cbcb505fb04c6d71f32299a270f7d 3645 net extra nova_2013.1.3-1.dsc
 a4a6b0ca54b2bb4052efcb32a8529df1 2482772 net extra nova_2013.1.3.orig.tar.xz
 d8785ad941eb18be9852261e87438f68 73950 net extra nova_2013.1.3-1.debian.tar.gz
 c32e223b00401784e5c9e17575cef6d3 1268358 python extra python-nova_2013.1.3-1_all.deb
 7e2450c440dcbb88fc4b8fa5e79beb62 53806 net extra nova-common_2013.1.3-1_all.deb
 93a6e6e4a99bf32691756c059294c2b9 18804 net extra nova-compute_2013.1.3-1_all.deb
 cce18843b5fe6fd1a7f242f842686ae5 13468 net extra nova-compute-lxc_2013.1.3-1_all.deb
 aed1d761e6eb3e8937d9db63c6dc433b 13484 net extra nova-compute-uml_2013.1.3-1_all.deb
 b358e745c1646afd8a57634e0a5ed64e 24520 net extra nova-compute-xen_2013.1.3-1_all.deb
 a2af2f972b97557285ef028298208142 13468 net extra nova-compute-qemu_2013.1.3-1_all.deb
 9badaa2ddd586fdb8c9a78d00bb85d98 13548 net extra nova-compute-kvm_2013.1.3-1_all.deb
 282aca84eb47ea6e42b9dd653e4ae56d 35446 net extra nova-xcp-plugins_2013.1.3-1_all.deb
 dd54a2ba71e29cf7b7146bd78666f6ac 16276 net extra nova-conductor_2013.1.3-1_all.deb
 f88500783379f1ec3148f0a222d218b4 16388 net extra nova-cert_2013.1.3-1_all.deb
 f2f63ed541e62a3cbc7e1d9f87318056 17910 net extra nova-scheduler_2013.1.3-1_all.deb
 d71fb21e45b30190601349875913ea9c 13120 oldlibs extra nova-volume_2013.1.3-1_all.deb
 6c914a331e1e43bbd650e4d94f8084d3 27064 net extra nova-api_2013.1.3-1_all.deb
 516d9370062b0d187f725feea5bfc012 19552 net extra nova-network_2013.1.3-1_all.deb
 9327b775ade84e138fac4181b2755b94 16418 net extra nova-console_2013.1.3-1_all.deb
 551815b114fb8b3181ea1cfdbfb91163 16164 net extra nova-consoleauth_2013.1.3-1_all.deb
 385e839cd85e29abba3cdb531195227d 2202238 doc extra nova-doc_2013.1.3-1_all.deb
 7b357c1c87f7ecabfcf370b85a8780c5 15404 net extra nova-cells_2013.1.3-1_all.deb
 682a26b1b16c9a0fb78d99ba6e988cfd 19766 net extra nova-baremetal_2013.1.3-1_all.deb
 98663f64d2a56bb4188eec80297ab99e 20940 net extra nova-consoleproxy_2013.1.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIvHDIACgkQl4M9yZjvmkl6LwCeOZ51Fn4tiLwdMDZm7yO+w4RL
UvQAoOIRxux5GGqvX94Z51noa/nYXMMp
=gbYC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.