Debian Bug report logs -
#993398
neutron: CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>
:
Bug#993398
; Package src:neutron
.
(Tue, 31 Aug 2021 19:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>
.
(Tue, 31 Aug 2021 19:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: neutron
Version: 2:18.1.0-2
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://launchpad.net/bugs/1939733
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2:17.1.1-6
Hi,
The following vulnerability was published for neutron.
CVE-2021-40085[0]:
| An issue was discovered in OpenStack Neutron before 16.4.1, 17.x
| before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can
| reconfigure dnsmasq via a crafted extra_dhcp_opts value.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-40085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085
[1] https://launchpad.net/bugs/1939733
[2] https://www.openwall.com/lists/oss-security/2021/08/31/2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions neutron/2:17.1.1-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Tue, 31 Aug 2021 19:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>
:
Bug#993398
; Package src:neutron
.
(Wed, 01 Sep 2021 08:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <team+openstack@tracker.debian.org>
.
(Wed, 01 Sep 2021 08:09:07 GMT) (full text, mbox, link).
Message #12 received at 993398@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 8/31/21 9:17 PM, Salvatore Bonaccorso wrote:
> Source: neutron
> Version: 2:18.1.0-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://launchpad.net/bugs/1939733
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> Control: found -1 2:17.1.1-6
>
> Hi,
>
> The following vulnerability was published for neutron.
>
> CVE-2021-40085[0]:
> | An issue was discovered in OpenStack Neutron before 16.4.1, 17.x
> | before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can
> | reconfigure dnsmasq via a crafted extra_dhcp_opts value.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2021-40085
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085
> [1] https://launchpad.net/bugs/1939733
> [2] https://www.openwall.com/lists/oss-security/2021/08/31/2
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
Dear Security team,
Please find attached the debdiff to close this bug in Bullseye. Let me
know if I can upload right away.
I'm preparing updates for Unstable and Buster (the patch applies kind of
cleanly in Buster as well, modulo a few tests).
Cheers,
Thomas Goirand (zigo)
[neutron_17.1.1-6+deb11u1.debdiff (text/plain, attachment)]
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#993398.
(Wed, 01 Sep 2021 12:18:03 GMT) (full text, mbox, link).
Message #15 received at 993398-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #993398 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/services/neutron/-/commit/b4ddfab9af3d87809eb17502d0c2bf9d3bf4dc33
------------------------------------------------------------------------
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
authenticated user may add arbitrary configuration to the dnsmasq process
in order to crash the service, change parameters for other tenants sharing
the same interface, or otherwise alter that daemon's behavior. This
vulnerability may also be used to trigger a configuration parsing buffer
overflow in versions of dnsmasq prior to 2.81, which could lead to remote
code execution. All Neutron deployments are affected. Added upstream
patch: Remove dhcp_extra_opt value after first newline character.
(Closes: #993398)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/993398
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 993398-submitter@bugs.debian.org
.
(Wed, 01 Sep 2021 12:18:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#993398.
(Wed, 01 Sep 2021 12:18:05 GMT) (full text, mbox, link).
Message #20 received at 993398-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #993398 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/services/neutron/-/commit/8a70539dc9afdb80b2f0aac4f8e44e784729c6ab
------------------------------------------------------------------------
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
authenticated user may add arbitrary configuration to the dnsmasq process
in order to crash the service, change parameters for other tenants sharing
the same interface, or otherwise alter that daemon's behavior. This
vulnerability may also be used to trigger a configuration parsing buffer
overflow in versions of dnsmasq prior to 2.81, which could lead to remote
code execution. All Neutron deployments are affected. Added upstream
patch: Remove dhcp_extra_opt value after first newline character.
(Closes: #993398)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/993398
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#993398.
(Wed, 01 Sep 2021 14:54:04 GMT) (full text, mbox, link).
Message #23 received at 993398-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #993398 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/services/neutron/-/commit/efe0b21d0ebe8e36c8773076a3c347ca5478665e
------------------------------------------------------------------------
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
authenticated user may add arbitrary configuration to the dnsmasq process
in order to crash the service, change parameters for other tenants sharing
the same interface, or otherwise alter that daemon's behavior. This
vulnerability may also be used to trigger a configuration parsing buffer
overflow in versions of dnsmasq prior to 2.81, which could lead to remote
code execution. All Neutron deployments are affected. Added upstream
patch: Remove dhcp_extra_opt value after first newline character.
(Closes: #993398)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/993398
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#993398.
(Wed, 01 Sep 2021 14:57:09 GMT) (full text, mbox, link).
Message #26 received at 993398-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #993398 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/services/neutron/-/commit/d10f649abf34ab9b85080667b448eb27fb2d96c2
------------------------------------------------------------------------
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
authenticated user may add arbitrary configuration to the dnsmasq process
in order to crash the service, change parameters for other tenants sharing
the same interface, or otherwise alter that daemon's behavior. This
vulnerability may also be used to trigger a configuration parsing buffer
overflow in versions of dnsmasq prior to 2.81, which could lead to remote
code execution. All Neutron deployments are affected. Added upstream
patch: Remove dhcp_extra_opt value after first newline character.
(Closes: #993398).
* Refresh patches.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/993398
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#993398.
(Wed, 01 Sep 2021 15:33:05 GMT) (full text, mbox, link).
Message #29 received at 993398-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #993398 in neutron reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/services/neutron/-/commit/ffe208b6bd1e9840764b7568cf17200949de8959
------------------------------------------------------------------------
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
authenticated user may add arbitrary configuration to the dnsmasq process
in order to crash the service, change parameters for other tenants sharing
the same interface, or otherwise alter that daemon's behavior. This
vulnerability may also be used to trigger a configuration parsing buffer
overflow in versions of dnsmasq prior to 2.81, which could lead to remote
code execution. All Neutron deployments are affected. Added upstream
patch: Remove dhcp_extra_opt value after first newline character.
(Closes: #993398)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/993398
Reply sent
to Thomas Goirand <zigo@debian.org>
:
You have taken responsibility.
(Wed, 01 Sep 2021 15:51:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 01 Sep 2021 15:51:04 GMT) (full text, mbox, link).
Message #34 received at 993398-close@bugs.debian.org (full text, mbox, reply):
Source: neutron
Source-Version: 2:18.1.0-3
Done: Thomas Goirand <zigo@debian.org>
We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 993398@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated neutron package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 01 Sep 2021 17:00:21 +0200
Source: neutron
Architecture: source
Version: 2:18.1.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 993398
Changes:
neutron (2:18.1.0-3) unstable; urgency=medium
.
* CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
authenticated user may add arbitrary configuration to the dnsmasq process
in order to crash the service, change parameters for other tenants sharing
the same interface, or otherwise alter that daemon's behavior. This
vulnerability may also be used to trigger a configuration parsing buffer
overflow in versions of dnsmasq prior to 2.81, which could lead to remote
code execution. All Neutron deployments are affected. Added upstream
patch: Remove dhcp_extra_opt value after first newline character.
(Closes: #993398)
Checksums-Sha1:
b19878edadc3a48daf31df74495514294bba2439 4762 neutron_18.1.0-3.dsc
3e61dc3b9342149ff79f6cdeea7e63b7dfe10700 39996 neutron_18.1.0-3.debian.tar.xz
a6bec40e2413fcf5a170ae52f3973e019e60007b 19982 neutron_18.1.0-3_amd64.buildinfo
Checksums-Sha256:
049c759e40112a08af1c3ac7ec0baf0882e56aec21d1ad555f4b524557ef94dc 4762 neutron_18.1.0-3.dsc
42af8b7dc069d73c69ae470f6cffdb42e9883786932f8e6f0b88510ebed53bda 39996 neutron_18.1.0-3.debian.tar.xz
bc95f76293a4f6d3d7203e6f2e31663bb050390d013cf1b937a0ebc0c1d3ec81 19982 neutron_18.1.0-3_amd64.buildinfo
Files:
17c2ce9a03cc6e6b7fa197338a57a714 4762 net optional neutron_18.1.0-3.dsc
6e03682981eea64fd1bbeb83eff21d21 39996 net optional neutron_18.1.0-3.debian.tar.xz
02d8dc2f973f20a816af0909ac0d6480 19982 net optional neutron_18.1.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmEvnN4ACgkQ1BatFaxr
Q/5t9RAAlZpKWs0alsHWbPp+rfHajndkgd1pQM/4k6CPn0RnZNHEi9Jr/qziw37A
ZXHaZF2il6M6+TVIoMXv46BlILvkyD0KQS2iJul5IwYt6OAwyhTIemYmxTEpzL55
XNYmBNVi4ic9OUSpjgxEeiNrL/DxUOoIZdM3XSPfjmkRGIKRXJP76O5MzuEtA9I4
l8WwEMqnCD7bRdtaAHPGHWUH3vejILqHbKEYr7gTfAOOKuXVwn/Abp3hVXTBqSKi
YiQRdNi36Y1xQUhEzneZtXWJ8jIdyw2Y185ED3qcSuaPqTZ8tJEG/eYKJd36vdGY
QaA39zKS/+n9DHNBShBqzOw9X08kDDbciUkfm+CE6MSwN04p1QVsm57qBxlBba8Z
B8j+VzSLJVNWIsFvtjpFdgRWCJ4tvio8GD90m3wHsL9g59f+/qktYlcJKZeI96Aw
54Z6u3iuVACF9ngs5+UsEHt0GDuSCkY9krTBbvi8bXSUcEBWn62j102TRD2girPT
TCDNQe7D5glw+Q4XigBQOZTUuCI7o+PIbUQBcxk8vOwGeNRA0kB6sofnpdbjrF5B
+ZyQVPL0dZFI3EPg2TuBf6BdHFC8JaVOjoQ1waWlc+eADcC9DpDA6f7nwsLZPIsB
cW+SPqMeRJnF3uRDbtVOYCcbE/ZIits/vkdaPmt6eRIC8opGTP8=
=UArM
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Sep 1 16:20:33 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.