Debian Bug report logs -
#843232
heat: CVE-2016-9185: template source URL allows network port scan
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#843232; Package src:heat.
(Sat, 05 Nov 2016 10:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Sat, 05 Nov 2016 10:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: heat
Version: 1:7.0.0-1
Severity: grave
Tags: security upstream patch
Forwarded: https://bugs.launchpad.net/ossa/+bug/1606500
Hi,
the following vulnerability was published for heat.
CVE-2016-9185[0]:
| In OpenStack Heat, by launching a new Heat stack with a local URL an
| authenticated user may conduct network discovery revealing internal
| network configuration. Affected versions are <=5.0.3, >=6.0.0 <=6.1.0,
| and ==7.0.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9185
[1] https://bugs.launchpad.net/ossa/+bug/1606500
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to control@bugs.debian.org.
(Sun, 06 Nov 2016 10:24:11 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#843232.
(Sun, 06 Nov 2016 10:24:14 GMT) (full text, mbox, link).
Message #10 received at 843232-submitter@bugs.debian.org (full text, mbox, reply):
tag 843232 pending
thanks
Hello,
Bug #843232 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=openstack/heat.git;a=commitdiff;h=d4c8d62
---
commit d4c8d629f0c53d1d3d2ad153bb0802f96e75336f
Author: Thomas Goirand <zigo@debian.org>
Date: Sun Nov 6 11:13:33 2016 +0100
CVE-2016-9185: Prevent template validate from scanning ports
* CVE-2016-9185: template source URL allows network port scan. Applied
upstream fix: "Prevent template validate from scanning ports"
(Closes: #843232).
diff --git a/debian/changelog b/debian/changelog
index c73db2c..c6c2353 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+heat (2014.1.3-7+deb8u1) jessie-security; urgency=medium
+
+ * CVE-2016-9185: template source URL allows network port scan. Applied
+ upstream fix: "Prevent template validate from scanning ports"
+ (Closes: #843232).
+
+ -- Thomas Goirand <zigo@debian.org> Sun, 06 Nov 2016 11:11:36 +0100
+
heat (2014.1.3-7) unstable; urgency=medium
* Removed the use of PROTOCOL_SSLv3 which is removed form Debian.
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 21 Nov 2016 17:33:07 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Sun, 08 Jan 2017 17:06:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 08 Jan 2017 17:06:09 GMT) (full text, mbox, link).
Message #17 received at 843232-close@bugs.debian.org (full text, mbox, reply):
Source: heat
Source-Version: 1:7.0.0-2
We believe that the bug you reported is fixed in the latest version of
heat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 843232@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated heat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 26 Dec 2016 17:36:59 +0100
Source: heat
Binary: python-heat heat-common heat-engine heat-api heat-api-cfn heat-api-cloudwatch heat-doc
Architecture: source all
Version: 1:7.0.0-2
Distribution: unstable
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
heat-api - OpenStack orchestration service - ReST API
heat-api-cfn - OpenStack orchestration service - CFN API
heat-api-cloudwatch - OpenStack orchestration service - CloudWatch API
heat-common - OpenStack orchestration service - common files
heat-doc - OpenStack orchestration service - Documentation
heat-engine - OpenStack orchestration service - engine
python-heat - OpenStack orchestration service - Python files
Closes: 843232 850231
Changes:
heat (1:7.0.0-2) unstable; urgency=medium
.
[ Ondřej Nový ]
* Bumped debhelper compat version to 10
.
[ Thomas Goirand ]
* CVE-2016-9185: template source URL allows network port scan: applied
upstream patch (Closes: #843232).
* Remove broken rst with latest docutils (Closes: #850231).
Checksums-Sha1:
5db7e63193ae753d244314235b9b5211711fcffa 4636 heat_7.0.0-2.dsc
c7c57201bb922994ab1cbb3fc3d5bc60e6d815be 29172 heat_7.0.0-2.debian.tar.xz
0c0cf119922bdae7b12b764a352aeb2469e211c5 10690 heat-api-cfn_7.0.0-2_all.deb
6ab904e8ee4b9f4986b09f46ac99e3e358adacc2 10624 heat-api-cloudwatch_7.0.0-2_all.deb
2a05c41329f2fa7085fccb7782a689146f6a9b39 10660 heat-api_7.0.0-2_all.deb
0bc06a95e2be141b66eb8fbb9f471e053ed76e40 59026 heat-common_7.0.0-2_all.deb
6b4f1b1f45eaa5938529ef4bf5a0612d59277b08 797574 heat-doc_7.0.0-2_all.deb
50ec58793f694ea4b9611822cb7e93aa6ebee6ea 10724 heat-engine_7.0.0-2_all.deb
4f00ba67634abbc16569c76f4c229a1080ce309a 15445 heat_7.0.0-2_amd64.buildinfo
86df6606ae504b66f411d224ed4052730f31efd2 835966 python-heat_7.0.0-2_all.deb
Checksums-Sha256:
0f6dcada9ddd9864f4b4416c7799eae69a46e4146d8579bcc73a5ae47c585995 4636 heat_7.0.0-2.dsc
cbcb262df38fc66aac194565de954860a9bfe30660447639f5fa2082ac730715 29172 heat_7.0.0-2.debian.tar.xz
9b64eedc0fc1d9a68efb872cea5db1cf8c7b4eea92fc23e0ef32fb3a3bc7ea08 10690 heat-api-cfn_7.0.0-2_all.deb
534401d157eddfb7d1abd98345a9a6b8ee0cbbaa2cc62a3b34d3798b1fd79144 10624 heat-api-cloudwatch_7.0.0-2_all.deb
624650a6114250a1cec4585944db089ee02ad973386e2d7451f6f2caeec64b02 10660 heat-api_7.0.0-2_all.deb
817dfed0885019364b6a295b1208089eeaf4c4bd930487282036d071fcdc84ae 59026 heat-common_7.0.0-2_all.deb
531b2b40e4689c2c270839f5b560c482f2899532fae1a5e13cde2d42e8f22889 797574 heat-doc_7.0.0-2_all.deb
852f294278ad6acf8c6b2e8a862c26ce0c71608e927baea5dea82afd8629af87 10724 heat-engine_7.0.0-2_all.deb
c6309944d73346eb9431e70079f7c78061211427888b7dbf537f738d13055248 15445 heat_7.0.0-2_amd64.buildinfo
551c6be0745d5e2124cb479559146538edad2b2c793422418515b7f4fd89f5fd 835966 python-heat_7.0.0-2_all.deb
Files:
474178a7f2dc1ac59f1fb67275b91640 4636 web optional heat_7.0.0-2.dsc
f23073cebf8d6e086e7c7cfea3af4f8c 29172 web optional heat_7.0.0-2.debian.tar.xz
81ce1a468045600f54b0941f31377bb6 10690 web optional heat-api-cfn_7.0.0-2_all.deb
5340a16f7dc0a0ef2958fef75dce3a56 10624 web optional heat-api-cloudwatch_7.0.0-2_all.deb
e84b1fb187015817d55ad616f4dda19e 10660 web optional heat-api_7.0.0-2_all.deb
256919cd2b2f54dd132fd0cea85acb18 59026 web optional heat-common_7.0.0-2_all.deb
189a0ee3bb7fbad64278708f01075f40 797574 doc optional heat-doc_7.0.0-2_all.deb
7dd08c4de909b290a5df137794cfa70f 10724 web optional heat-engine_7.0.0-2_all.deb
2a965a201255666830ac7c5ec1b88d98 15445 web optional heat_7.0.0-2_amd64.buildinfo
6a07375053e08bd93b148fee365a329c 835966 python optional python-heat_7.0.0-2_all.deb
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlhyaoMQHHppZ29AZGVi
aWFuLm9yZwAKCRDUFq0VrGtD/j7rD/9sXDwEhCTLRMEcl+FO6+HRIJyUhVMIQBTu
YyCdu5vW1Mdt12ENx8VDRlh4oWL1ZSuCq83157j1Eaah4wdl3lqlzlBZwn1tvbAp
nQbwciHEqenCplIHM3nBUUgxo+8VZeuwMz0RB1k4GnhlQup/Y0Ow9AIXAj3e+gNc
LfpAWM30GjkJfyffOzv0Fvjpqw+006OCjdNIxfeL4YW4LTzAWCgvNtBiKoc1yI1K
DsZbt/e3HO3Ny6eSTo3FV3MRvGY7H/5PnxKhDyh/nMIjq8pz+0tLlshGv+a0KqV/
w2ip1MASp0F3xrPOrIv8vLI7Rh0Dqht+GePysLxhGg6k0qvDD6C1QYUCUlk0c27A
3GqLKkmcvGxont/KWoTsYuN5iG77NgcNZ/9zfCpcmbPbwtQ6oehl3PV68qXgb05K
b86ptSosGiBRiogVIR2FaoxY80rrkmoCJALvwNGr7ROCNqAgX9aUMvfvpAUmhtnH
U4FnSkzKsEftFgjHl/iLN+Ci5WChBbi7i8paOfPHjaraLidOUArBa4H7MgyDmYPJ
zfKzV+J9/Mfn2l5ZbyWMEU+HyAz2tnzInLNKw+5WrkmY+njSkXS4ZlfcVnQUBVUd
wSPeaz6b5DX1UURk/05iSIor8RIAxg8yFpsOhKGoAwCj0eq2IDF3Mos94UM3v9PA
H7AvFGtfQQ==
=uuuv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 06 Feb 2017 07:26:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:43:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon