nova: CVE-2013-4463 and CVE-2013-4469

Debian Bug report logs - #728605
nova: CVE-2013-4463 and CVE-2013-4469

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nova: CVE-2013-4463 and CVE-2013-4469

Date: Sun, 03 Nov 2013 15:27:05 +0100

Package: nova
Severity: important
Tags: security upstream patch

Hi,

the following vulnerabilities were published for nova.

CVE-2013-4463[0]:
Compressed disk image DoS

CVE-2013-4469[1]:
Denial of Service (Incomplete fix for CVE-2013-2096)

Red Hat Bugzillla provides patches for both CVE's at [2] (note the CVE
split, but the patches are found in [2]).

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-4463
[1] http://security-tracker.debian.org/tracker/CVE-2013-4469
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1023239
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1023581

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 728605-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 728605-close@bugs.debian.org

Subject: Bug#728605: fixed in nova 2013.2-3

Date: Thu, 05 Dec 2013 15:20:40 +0000

Source: nova
Source-Version: 2013.2-3

We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 728605@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated nova package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Nov 2013 00:13:07 +0800
Source: nova
Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-uml nova-compute-qemu nova-compute-kvm nova-conductor nova-cert nova-scheduler nova-volume nova-api nova-network nova-console nova-consoleauth nova-doc nova-cells nova-baremetal nova-consoleproxy
Architecture: source all
Version: 2013.2-3
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 nova-api   - OpenStack Compute - compute API frontend
 nova-baremetal - Openstack Compute - baremetal virt
 nova-cells - Openstack Compute - cells
 nova-cert  - OpenStack Compute - certificate manager
 nova-common - OpenStack Compute - common files
 nova-compute - OpenStack Compute - compute node
 nova-compute-kvm - OpenStack Compute - compute node (KVM)
 nova-compute-lxc - OpenStack Compute - compute node (LXC)
 nova-compute-qemu - OpenStack Compute - compute node (QEmu)
 nova-compute-uml - OpenStack Compute - compute node (UserModeLinux)
 nova-conductor - OpenStack Compute - conductor service
 nova-console - OpenStack Compute - console
 nova-consoleauth - OpenStack Compute - Console Authenticator
 nova-consoleproxy - OpenStack Compute - NoVNC proxy
 nova-doc   - OpenStack Compute - documentation
 nova-network - OpenStack Compute - network manager
 nova-scheduler - OpenStack Compute - virtual machine scheduler
 nova-volume - OpenStack Compute - storage metapackage
 python-nova - OpenStack Compute - libraries
Closes: 728605 728765 729711 730453
Changes: 
 nova (2013.2-3) unstable; urgency=high
 .
   * Moved python-mysqldb from Recommends to Depends in python-nova.
   * CVE-2013-4463 & CVE-2013-4469: ensure we don't boot oversized images,
     applied upstream patch (Closes: #728605).
   * Update of some debconf translations, with warm thanks to:
     - French, Julien Patriarca <leatherface@debian.org> (Closes: #728765).
     - Russian, Yuri Kozlov <yuray@komyakino.ru> (Closes: #729711).
     - German, Chris Leick <c.leick@vollbio.de> (Closes: #730453).
Checksums-Sha1: 
 48bfa587a17e29c7500600116bd0b736717e1c67 4504 nova_2013.2-3.dsc
 7290c0ee1c770f29cb35ac542125c76405098a2d 83016 nova_2013.2-3.debian.tar.gz
 f955de65e087e7dcda1e864f68f73fef680dae34 1629056 python-nova_2013.2-3_all.deb
 6a24ca51b71b1a380947c68ecae494936178a7fc 44844 nova-common_2013.2-3_all.deb
 30430e86e4b6d24a2b8eaddcefdeb12d5df24fe2 18410 nova-compute_2013.2-3_all.deb
 d121d740adbba398a27073b4d4c9b60001a3a993 13772 nova-compute-lxc_2013.2-3_all.deb
 46c4d10a84c955a002e23454464a0077a43501cb 13788 nova-compute-uml_2013.2-3_all.deb
 23485720765bcfc170f3b636db8d8e207e460c73 13784 nova-compute-qemu_2013.2-3_all.deb
 c60fc1cb729a03c892f21d182de2f177dce16369 13858 nova-compute-kvm_2013.2-3_all.deb
 ef7e42934afbcc10f363fcaad81ca2cd8f0550f1 16136 nova-conductor_2013.2-3_all.deb
 3911e851264d805cd82bf409eb54d89413100b61 16242 nova-cert_2013.2-3_all.deb
 4d87abdf88caf5b6bc63fc5ee74b7203197b595f 17238 nova-scheduler_2013.2-3_all.deb
 6da07ecb9debe85182ef6dfe412acde8e8cee199 13438 nova-volume_2013.2-3_all.deb
 8362fd3ca1fa99283d7d04931c86d61cd6fb6f72 28724 nova-api_2013.2-3_all.deb
 fda593e513ec9322a9f47c5ec6a6e4bf4c78b920 18306 nova-network_2013.2-3_all.deb
 6f2eb3f72f960794e8c96308e9b94fec12068e40 16264 nova-console_2013.2-3_all.deb
 4b41ff58a9fad432e0937506e73c6bf55a631f8c 16226 nova-consoleauth_2013.2-3_all.deb
 5d3a5f7e3b10fb4b0313786b98376f54b21b51cd 1042952 nova-doc_2013.2-3_all.deb
 979c0e53a1f4f429e1c903d2ccfae00af8aec151 15218 nova-cells_2013.2-3_all.deb
 409ff1bfa27741e69440f438a30e31492e11ba4d 15556 nova-baremetal_2013.2-3_all.deb
 848ca104884be667f01f357e0e864146d33cde56 20802 nova-consoleproxy_2013.2-3_all.deb
Checksums-Sha256: 
 d55e50f9ec7e9a84220fbc3de475fd5d83d0d0250146ac9b59cadd2e3ba0134c 4504 nova_2013.2-3.dsc
 d13b11e25af81d53d82f19288e71cd8adc903e77821acf940723d679f8f6b1e3 83016 nova_2013.2-3.debian.tar.gz
 a633eecd32d0769342544f95f6fba3ff693d70e5338fd115a81a5f3660a436e4 1629056 python-nova_2013.2-3_all.deb
 235bb4cc81f28535e1a470f3aee5a74ea8dbc315a7bd24b084c2a576d16dd38d 44844 nova-common_2013.2-3_all.deb
 c7073f6bb939759eaeb5d67313a5cf2c71be676107d1d12ead32253faa5caa51 18410 nova-compute_2013.2-3_all.deb
 ada9871866b3573ec844ae7434cf590a6a8e3cda73a346d6953353295d9a270c 13772 nova-compute-lxc_2013.2-3_all.deb
 e61f31234d6bf4069044a17ebc8ad743f7335136cc78ccf0f80d25c60245e6a4 13788 nova-compute-uml_2013.2-3_all.deb
 15c704b4f4f502db77346eee2ba20a3e817d225292c93dbde64ba0caaadcf406 13784 nova-compute-qemu_2013.2-3_all.deb
 aa4aba6e4c24007520e7b933ee16687c0b27e3c15da1f8c477c9a012e36048a6 13858 nova-compute-kvm_2013.2-3_all.deb
 1f6abb3dfb8251af4243fcc490031c8f3d8ea1a9b47fa773c169a3fc7414a005 16136 nova-conductor_2013.2-3_all.deb
 81f8c183371c450e998787ce168bbab6396cf7569afe19082942cca6957089f9 16242 nova-cert_2013.2-3_all.deb
 10d341a88e64b90c2fc803b4e0572d8cbc5a188fc89a94e61bac87d0327a7980 17238 nova-scheduler_2013.2-3_all.deb
 98d41c634b59e34e7ea9abe5fe07c29622feae6c56e3fc64280b333ecf64fdc7 13438 nova-volume_2013.2-3_all.deb
 7f7b482a816932656344596f326c6e928a3d20a775c3c6b2d97364ce97333673 28724 nova-api_2013.2-3_all.deb
 20e6e72be89acfe9f986dc108f95abe3e83060e892024367130d650b3da41484 18306 nova-network_2013.2-3_all.deb
 da0f425ed5803af13e2ebc542bfd2c60203f5967e178d8b4d4d5a88cd807b52b 16264 nova-console_2013.2-3_all.deb
 daff578d180a7dc87953e670e96220fa267b3763da4367903494482b4534ce43 16226 nova-consoleauth_2013.2-3_all.deb
 77cff6fd473de5e74fc755a592c8e11f389d35c096c82f0ceb03ffef2c1baddf 1042952 nova-doc_2013.2-3_all.deb
 a1a63def5f68f110bd0514094f39218c14c32f0081857d4e3fa1984fb2d418bc 15218 nova-cells_2013.2-3_all.deb
 7ca06af424b1afa8ee273ec89a294390e81ac1408bee003cc75278611d8785e1 15556 nova-baremetal_2013.2-3_all.deb
 405008eb7ed269eb6e9d7c409902d1995bd0f3ba906275fc126629197351d869 20802 nova-consoleproxy_2013.2-3_all.deb
Files: 
 0aa377a6e510f739a38b1ac53379ab6e 4504 net extra nova_2013.2-3.dsc
 2ee95ca717a95259d5f58deefbf9e0d0 83016 net extra nova_2013.2-3.debian.tar.gz
 8414d7dbb2f426f4008276067a7dee1a 1629056 python extra python-nova_2013.2-3_all.deb
 2efe2136fa2f4d5a8b13c769d407d45c 44844 net extra nova-common_2013.2-3_all.deb
 c8c2f8a843f9b76bb0a2a2688d87e04d 18410 net extra nova-compute_2013.2-3_all.deb
 a483d96f837d661ac7afd5357b146e22 13772 net extra nova-compute-lxc_2013.2-3_all.deb
 425cf88d5b5487492446da5f6f1c26f8 13788 net extra nova-compute-uml_2013.2-3_all.deb
 c659b2cdcb1ce4ac54c254ada7c5860c 13784 net extra nova-compute-qemu_2013.2-3_all.deb
 313de83d1803302bc53784e8ce0f5818 13858 net extra nova-compute-kvm_2013.2-3_all.deb
 856e2346979665079e4df9fa0d0fe9cc 16136 net extra nova-conductor_2013.2-3_all.deb
 46eb12bdc4f6b168a993381665a24d73 16242 net extra nova-cert_2013.2-3_all.deb
 4143c4d97566894cd7b1e83e234131e1 17238 net extra nova-scheduler_2013.2-3_all.deb
 e90a0e0c0153d9ac948faba555280dc7 13438 oldlibs extra nova-volume_2013.2-3_all.deb
 f23760baf12403935c517164ffb6cb52 28724 net extra nova-api_2013.2-3_all.deb
 a09c0c7edbe68931648b05a4d187df65 18306 net extra nova-network_2013.2-3_all.deb
 38f4fbf5e383853994ae245cdd4f1965 16264 net extra nova-console_2013.2-3_all.deb
 eca1d891fa8f3ba6a6f87e4a4b58621b 16226 net extra nova-consoleauth_2013.2-3_all.deb
 6fc20dae8ec88e55bc3efd686bdd1408 1042952 doc extra nova-doc_2013.2-3_all.deb
 eff4bd5ad9479a96cc13e4fcc21bbfbc 15218 net extra nova-cells_2013.2-3_all.deb
 287549ae6c759b1e5102b86cf857fd48 15556 net extra nova-baremetal_2013.2-3_all.deb
 53f783b72e9568577f17eff702385c91 20802 net extra nova-consoleproxy_2013.2-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCAAGBQJSoJgpAAoJENQWrRWsa0P+IHQP/0bZUajWpmqgZS34eh7GtKBM
oluEYSyeBK7NodwXPZ6G2OjUY/A4tVKyWmOUsj6+z/lW6IrPydd63XXRjnAWoS9T
7+6GmniN2uddH4W1Fg2u5X4/cRZWw/JXozGQNiGvF6388u2dRjgM82Ud0kKpZ3Mr
momH6aLfnADzFscZQFxg1oH9lHT/7dNnPzq9uu7fYmKOxfIq9RD263vHmIb+qqS0
gpMD/6rfSzGoqCq8WFmLQ3O2tEvmNCxG7DUMECC1QQZpJlKinL9WKBbw7rW1g70N
jM3XZ1/zebTLdCvPzlbxERuikf1ZWsWVKGvZ9dXt13Ot0DUuFTjJDwif/THWKr6L
16PB4UzxTyilYx79sCvbLGZO7knaGbIiTT9cD7EmORJQqSEknqgQorSj7ZbgTWdF
g/GW2wrB9T6n20EaFVQSFB7LY6EN6O0XzEpKiYUZbOyUfcZ2XZsJN1W0n6xMnmPV
lT8q41NeEUjqb32+WAEmM8SKaPgky5o47BhIHLFGQLSgUO0mehXX93MhLoNQfwNc
xC9Z9XZeMseKiBgpqUAkp+Rd18x0qH5IszZ8HZ+/OFTxqrbS+VxS20FUu3LQzD6X
0aoNYgfZLLy8HbainBwYxWGq7BE/6FlGxPlrf4VORI7FYO9EMl9e/sOXrP8Gdx25
XKKQaSi/2nVCe6JXMr4c
=MPu7
-----END PGP SIGNATURE-----

Message #15 received at 728605@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 728605@bugs.debian.org, security@debian.org

Subject: Re: [Openstack-devel] Bug#728605: nova: CVE-2013-4463 and CVE-2013-4469

Date: Fri, 06 Dec 2013 15:16:14 +0800

On 11/03/2013 10:27 PM, Salvatore Bonaccorso wrote:
> Package: nova
> Severity: important
> Tags: security upstream patch
> 
> Hi,
> 
> the following vulnerabilities were published for nova.
> 
> CVE-2013-4463[0]:
> Compressed disk image DoS
> 
> CVE-2013-4469[1]:
> Denial of Service (Incomplete fix for CVE-2013-2096)
> 
> Red Hat Bugzillla provides patches for both CVE's at [2] (note the CVE
> split, but the patches are found in [2]).
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] http://security-tracker.debian.org/tracker/CVE-2013-4463
> [1] http://security-tracker.debian.org/tracker/CVE-2013-4469
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1023239
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1023581
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore

This one has been fixed in Sid, please update the tracker.

I'll work on backporting the fix to Stable.

Thomas

Send a report that this bug log contains spam.