Debian Bug report logs -
#752021
CVE-2014-4167: Neutron L3-agent DoS through IPv6 subnet
Reported by: Thomas Goirand <zigo@debian.org>
Date: Wed, 18 Jun 2014 19:42:02 UTC
Severity: important
Tags: patch, security
Found in version 2014.1-1
Fixed in version 2014.1.1-1
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#752021; Package neutron.
(Wed, 18 Jun 2014 19:42:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Wed, 18 Jun 2014 19:42:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: neutron
Version: 2014.1.1-1
Severity: important
Tags: security patch
OpenStack Security Advisory: 2014-019
CVE: CVE-2014-4167
Date: June 18, 2014
Title: Neutron L3-agent DoS through IPv6 subnet
Reporter: Thiago Martins (HP)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1
Description:
Thiago Martins from Hewlett Packard reported a vulnerability in Neutron
L3-agent. By creating an IPv6 private subnet attached to a L3 router, an
authenticated user may break the L3-agent, preventing further floating
IPv4 addresses from being attached for the entire cloud. Note: removal
of the faulty network can not be done using the API and must be cleaned
at the database level. Only Neutron setups using IPv6 and L3-agent are
affected.
Juno (development branch) fix:
https://review.openstack.org/88584
Icehouse fix:
https://review.openstack.org/95938
Havana fix:
https://review.openstack.org/95939
Notes:
This fix will be included in the Juno-2 development milestone and in
future 2013.2.4 and 2014.1.2 releases.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4167
https://launchpad.net/bugs/1309195
--
Tristan Cacqueray
OpenStack Vulnerability Management Team
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Wed, 18 Jun 2014 19:48:14 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Wed, 18 Jun 2014 19:48:14 GMT) (full text, mbox, link).
Message #10 received at 752021-done@bugs.debian.org (full text, mbox, reply):
This CVE was fixed by uploading the latest upstream release of Neutron:
2014.1.1. I opened the bug only for reference.
Thomas
Marked as fixed in versions 2014.1.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 19 Jun 2014 04:39:04 GMT) (full text, mbox, link).
No longer marked as found in versions 2014.1.1-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 02 Nov 2014 12:07:20 GMT) (full text, mbox, link).
Marked as found in versions 2014.1-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 02 Nov 2014 12:07:21 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 22 Dec 2014 07:27:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:36:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon