Debian Bug report logs -
#750144
CVE-2014-2573: Nova VMWare driver leaks rescued images
Reported by: Thomas Goirand <zigo@debian.org>
Date: Mon, 2 Jun 2014 03:33:01 UTC
Severity: normal
Tags: patch, security
Found in version nova/2014.1-8
Fixed in version nova/2014.1-9
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#750144; Package src:nova.
(Mon, 02 Jun 2014 03:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Mon, 02 Jun 2014 03:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nova
Version: 2014.1-8
Severity: normal
Tags: security patch
OpenStack Security Advisory: 2014-017
CVE: CVE-2014-2573
Date: May 29, 2014
Title: Nova VMWare driver leaks rescued images
Reporter: Jaroslav Henner (Red Hat)
Products: Nova
Versions: from 2013.2 to 2013.2.3, and 2014.1
Description:
Jaroslav Henner from Red Hat reported a vulnerability in Nova. By
requesting Nova place an image into rescue, then deleting the image,
an authenticated user my exceed their quota. This can result in a
denial of service via excessive resource consumption. Only setups
using the Nova VMWare driver are affected.
Juno (development branch) fix:
https://review.openstack.org/75788
https://review.openstack.org/80284
Icehouse fix:
https://review.openstack.org/88514
https://review.openstack.org/89217
Havana fix:
https://review.openstack.org/89762
https://review.openstack.org/89768
Notes:
This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2573
https://launchpad.net/bugs/1269418
-- Jeremy Stanley OpenStack Vulnerability Management Team
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Mon, 02 Jun 2014 05:51:09 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Mon, 02 Jun 2014 05:51:09 GMT) (full text, mbox, link).
Message #10 received at 750144-close@bugs.debian.org (full text, mbox, reply):
Source: nova
Source-Version: 2014.1-9
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 750144@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated nova package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 02 Jun 2014 11:28:38 +0800
Source: nova
Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-uml nova-compute-qemu nova-compute-kvm nova-conductor nova-cert nova-scheduler nova-volume nova-api nova-network nova-console nova-consoleauth nova-doc nova-cells nova-baremetal nova-consoleproxy
Architecture: source all
Version: 2014.1-9
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
nova-api - OpenStack Compute - compute API frontend
nova-baremetal - Openstack Compute - baremetal virt
nova-cells - Openstack Compute - cells
nova-cert - OpenStack Compute - certificate manager
nova-common - OpenStack Compute - common files
nova-compute - OpenStack Compute - compute node
nova-compute-kvm - OpenStack Compute - compute node (KVM)
nova-compute-lxc - OpenStack Compute - compute node (LXC)
nova-compute-qemu - OpenStack Compute - compute node (QEmu)
nova-compute-uml - OpenStack Compute - compute node (UserModeLinux)
nova-conductor - OpenStack Compute - conductor service
nova-console - OpenStack Compute - console
nova-consoleauth - OpenStack Compute - Console Authenticator
nova-consoleproxy - OpenStack Compute - NoVNC proxy
nova-doc - OpenStack Compute - documentation
nova-network - OpenStack Compute - network manager
nova-scheduler - OpenStack Compute - virtual machine scheduler
nova-volume - OpenStack Compute - storage metapackage
python-nova - OpenStack Compute - libraries
Closes: 750144
Changes:
nova (2014.1-9) unstable; urgency=high
.
* CVE-2014-2573: Nova VMWare driver leaks rescued images. Applied 2 patches
from upstream (Closes: #750144).
Checksums-Sha1:
6e03fe59c818f88ab75ee141e2bad40cd845a2ad 4584 nova_2014.1-9.dsc
54f4914b406e172c9684532430c8a1152ba30584 162968 nova_2014.1-9.debian.tar.xz
c798d7679c3732e1fadf23d988767e7a01d1a1a6 1700014 python-nova_2014.1-9_all.deb
fc3d9f61539a8e909286040ba1e1befb5b344882 71432 nova-common_2014.1-9_all.deb
36664bd6d721ad3c74de6f67b9ac074e49f51600 20030 nova-compute_2014.1-9_all.deb
9733a6eb605150fdc14c354cef80a7136854da77 15408 nova-compute-lxc_2014.1-9_all.deb
eae0245b46cc740d389216a0db4b5311097420e3 15430 nova-compute-uml_2014.1-9_all.deb
2006e33ab6d83b9f7c2321ec1e6bce0eab07b7ae 15406 nova-compute-qemu_2014.1-9_all.deb
d0143e144005c25825c2ac08bd6254d82d531c3b 15500 nova-compute-kvm_2014.1-9_all.deb
0b1fe4a01f879f42eae96a5264005f16b613bdad 17596 nova-conductor_2014.1-9_all.deb
df9d906a82c50eb9f6f1c4a5288898a65f60373b 17704 nova-cert_2014.1-9_all.deb
e37c25faedf2c8da4f3f1bfbccf200e0ea9ba22d 18640 nova-scheduler_2014.1-9_all.deb
9fae45113838f781ff35ffd072fd86c283953c39 15004 nova-volume_2014.1-9_all.deb
66a2deb3c32bf2a01b75d0d7030d364eca9c8acc 33366 nova-api_2014.1-9_all.deb
4aa7043bb25dc9d51d0ebd6668f0d21c2ba602b2 19786 nova-network_2014.1-9_all.deb
8b6d0381eab9d2b8e905cace3e8119969d68f60c 17756 nova-console_2014.1-9_all.deb
6c5a8da416db0ead25311ae366b37d40c63f864d 17706 nova-consoleauth_2014.1-9_all.deb
abc9b11cbab3fa14401f22998ae90889c1787396 1043264 nova-doc_2014.1-9_all.deb
5f0bbc74f6423a1ac32cba286326d33c3eda9cd0 16710 nova-cells_2014.1-9_all.deb
3ed36860f80fd85a0e9382bdeaedf6fa430bd6aa 17058 nova-baremetal_2014.1-9_all.deb
0b13b3dea01eba0d8e4f220ea8f229d74bd9d6b5 22480 nova-consoleproxy_2014.1-9_all.deb
Checksums-Sha256:
2fa9c40efc4a7e2351330c292204a67bd0437db232a6feb026d88fbe16c34587 4584 nova_2014.1-9.dsc
4a566a82ac756ec5d33c34f37094792be21d8f5bd410208c86ffbe57afe6a3ff 162968 nova_2014.1-9.debian.tar.xz
aa440d87c92ae00513e807efcb172b8b134264fd63ef445377036b0fa113ca1b 1700014 python-nova_2014.1-9_all.deb
ba087607e2f8b35d51ce6d760b18b6753121067259ccd825412dc4a41535f974 71432 nova-common_2014.1-9_all.deb
d25ee0ddea9d65a40c15826c71f663dfdd99faa369bbdea990ac129d7e559ed0 20030 nova-compute_2014.1-9_all.deb
fc377a51cb509323760a1f3923047c7be12db98042ef72c3e6abb89c2827e6d9 15408 nova-compute-lxc_2014.1-9_all.deb
659f2f2627ce8157c4e54feb2724b503fe27561ae3da77682b0bce42414cb715 15430 nova-compute-uml_2014.1-9_all.deb
ded93aafd243f0413ec5d12241bbc2db9f8c2cb09f01bcf741dfe1987704c695 15406 nova-compute-qemu_2014.1-9_all.deb
1ee64e9d510cb88ea91b2df04916df16a83d60b3c18ce3b230a4713e63d9208d 15500 nova-compute-kvm_2014.1-9_all.deb
fe580530a9ccd4047810d62e36e6b05eafceaae8b7b5db28096097a02864beca 17596 nova-conductor_2014.1-9_all.deb
a5f8ffb6d93a670a7c2e6d7690218741e21e733711e04674523f5278b1d35373 17704 nova-cert_2014.1-9_all.deb
c1bd351aa19e3edcdd5e91a48fd1e57b8ae8a65f9e943517b2dab47eb4bbe292 18640 nova-scheduler_2014.1-9_all.deb
3da925514f9d665bcf7d500971652567f2e0fc666353d957e7ea0711a553cfd3 15004 nova-volume_2014.1-9_all.deb
d682021defec257f28cd45b925043271ccf26f70560c599025bd7e3a50da79cd 33366 nova-api_2014.1-9_all.deb
9153b6d1d7ba251dedebd3ca37bde95bdf824306a58394080fb34b11f241b254 19786 nova-network_2014.1-9_all.deb
66c1431d236e61d5a5af1b7829aef7930d64688fc1d49230d8d5fa8dbc194aaa 17756 nova-console_2014.1-9_all.deb
6570558ec4b673f909cbbd64de9a83917ffc2ef500c6de96cbe32268b4ce454a 17706 nova-consoleauth_2014.1-9_all.deb
ed45c9d409846a74796677911360c2f7d66511bf1bcb722311803b3447d00618 1043264 nova-doc_2014.1-9_all.deb
a89aa198b7c449788f868e74e6d0acbb33e2fe98ecf416b6d7510c5d1ce17a00 16710 nova-cells_2014.1-9_all.deb
1dc73e4910a1dd5484071cf3c71679f593cf5eb74056476c6313cdb44b6c5f94 17058 nova-baremetal_2014.1-9_all.deb
6a1f34304093d5be09f6431cf61d8daf7764cb558089449c62e349ff3f3fcbdf 22480 nova-consoleproxy_2014.1-9_all.deb
Files:
b0b3c687695360c2bfa848cc7c9795d6 1700014 python extra python-nova_2014.1-9_all.deb
a05b623b9178f284f16a61ff6d623e72 71432 net extra nova-common_2014.1-9_all.deb
716265dc41e31db5d34045ca5f11b395 20030 net extra nova-compute_2014.1-9_all.deb
8af255eb369100545425e1809284d31c 15408 net extra nova-compute-lxc_2014.1-9_all.deb
8b1422fc24cfdfa28f1b61b2e2a5cd87 15430 net extra nova-compute-uml_2014.1-9_all.deb
862387de0b5b93074008cc4ca371d41a 15406 net extra nova-compute-qemu_2014.1-9_all.deb
67e86e119f2a95785c3c17c39c53854f 15500 net extra nova-compute-kvm_2014.1-9_all.deb
294517e5520bc908212df5dd980e9ada 17596 net extra nova-conductor_2014.1-9_all.deb
ab4d3147378e5a024feea05ee2ff77f2 17704 net extra nova-cert_2014.1-9_all.deb
df9b145ef862a666907a8e6aca2cb056 18640 net extra nova-scheduler_2014.1-9_all.deb
69233828fa5c825d194d923d812d67c5 15004 oldlibs extra nova-volume_2014.1-9_all.deb
c33b35376ef21dbbcff5035fee2a4308 33366 net extra nova-api_2014.1-9_all.deb
54cd466bd6f38ff10eeb2fa72ae27dd1 19786 net extra nova-network_2014.1-9_all.deb
899b89e15b2d8efea83e4b150f9e9e74 17756 net extra nova-console_2014.1-9_all.deb
32eca333d96c58a2d4632e6e057e23fd 17706 net extra nova-consoleauth_2014.1-9_all.deb
271bf5f089ae37ba27876d1d07f38f41 1043264 doc extra nova-doc_2014.1-9_all.deb
da051f8071e70528ffbd78230872d51e 16710 net extra nova-cells_2014.1-9_all.deb
c494b7554a90c9cb9ef836ec5bc3c6e3 17058 net extra nova-baremetal_2014.1-9_all.deb
8dcfdcc0a005233917e58130e830571c 22480 net extra nova-consoleproxy_2014.1-9_all.deb
b17351ae502e93557811a66aed051a5c 4584 net extra nova_2014.1-9.dsc
59b48fff75a23f9c56d1168d060c61e4 162968 net extra nova_2014.1-9.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTjA8EAAoJENQWrRWsa0P+iogP/AqE4XcHo26ZIwTvI4jw9gBZ
vIFCUaCtmjVHJvN/J2VyhpPEYIm2VgOg4Ww3PZPq3CgnDvYWt+voYLwO+JMo5dVa
xQfpkNM5z0WAMxDI8cKLmX+HG3UFbm12UKnIqUyZJwg8kGdkE7sLAnRefmh/Qmh7
3jH5c7qKEiPHCu95ra6UgrXS18tJ4wDOHjYEzUdA6ItNn3xb36P4JOQNmMTTSgg+
v76ezfN+96HJsQ/l1rTo4yiXTx//+UVzBUabSKW1C/ffTLl6lN6e7KWdb56iSoZQ
8Yf+2OQC8VZ8h+Y8ryw6HwfTonglkgUAlzy5q0oZgeIfFRzqfRFrzCOzQksVAUUQ
QyI3AeAsfh6o1GVg2m+p5ZKf1UCF1lJhUlPTeM6O4BPaSVHdtOIdPqZOpivWKCxb
G+8n8Wc4TqS0SVTRQnGugixQtNOttReE4/+PN5NXiUMzrLFpygosS0ZvSQhnYSAa
b7yjVNujwj1ptlsyVezHp8HBg3j670wxQRYRslivln+IU4fAbCKO8NV3CV9IlEDf
Wr/q3ggDJHuwlmr4LDvflzVhMs3Dns/etNWPfwLf32MSPiaakZtymwX4GH7RgdW4
F7llzijdV4g6F85DBA72/qLVXykoZ2n5lv4i17K2g+p+Oli1eZYaEK32tLzQMLCW
Xmtl+ozwEPMhDi0av/aJ
=faot
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 14 Oct 2014 07:32:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:54:24 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon