Your message dated Sat, 09 Dec 2017 12:03:01 +0000
with message-id <e1endqp-0004lx...@fasolo.debian.org>
and subject line Bug#882009: fixed in nova 2:14.0.0-4+deb9u1
has caused the Debian Bug report #882009,
regarding CVE-2017-16239: Nova Filter Scheduler bypass through rebuild action
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
882009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882009
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nova
Version: 2:14.0.0-4
Severity: important
Tags: patch security
Reporting the OpenStack Security Announcement, uploading soon.
==================================================================
OSSA-2017-005: Nova Filter Scheduler bypass through rebuild action
==================================================================
:Date: November 14, 2017
:CVE: CVE-2017-16239
Affects
~~~~~~~
- Nova: <=14.0.9, >=15.0.0 <=15.0.7, >=16.0.0 <=16.0.2
Description
~~~~~~~~~~~
George Shuklin from servers.com reported a vulnerability in Nova. By
rebuilding an instance, an authenticated user may be able to
circumvent the Filter Scheduler bypassing imposed filters (for
example, the ImagePropertiesFilter or the IsolatedHostsFilter). All
setups using Nova Filter Scheduler are affected.
Patches
~~~~~~~
- https://review.openstack.org/519684 (Newton)
- https://review.openstack.org/519681 (Ocata)
- https://review.openstack.org/519672 (Pike)
- https://review.openstack.org/519662 (Queens)
Credits
~~~~~~~
- George Shuklin from Servers.com (CVE-2017-16239)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1664931
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16239
--
Tristan Cacqueray
OpenStack Vulnerability Management Team
--- End Message ---
--- Begin Message ---
Source: nova
Source-Version: 2:14.0.0-4+deb9u1
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 882...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated nova package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 Nov 2017 15:41:15 +0000
Source: nova
Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-qemu
nova-compute-kvm nova-compute-ironic nova-conductor nova-cert nova-scheduler
nova-volume nova-api nova-network nova-console nova-consoleauth nova-doc
nova-cells nova-consoleproxy nova-placement-api
Architecture: source all
Version: 2:14.0.0-4+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
nova-api - OpenStack Compute - compute API frontend
nova-cells - Openstack Compute - cells
nova-cert - OpenStack Compute - certificate manager
nova-common - OpenStack Compute - common files
nova-compute - OpenStack Compute - compute node
nova-compute-ironic - OpenStack Compute - compute node (Ironic)
nova-compute-kvm - OpenStack Compute - compute node (KVM)
nova-compute-lxc - OpenStack Compute - compute node (LXC)
nova-compute-qemu - OpenStack Compute - compute node (QEmu)
nova-conductor - OpenStack Compute - conductor service
nova-console - OpenStack Compute - console
nova-consoleauth - OpenStack Compute - Console Authenticator
nova-consoleproxy - OpenStack Compute - NoVNC proxy
nova-doc - OpenStack Compute - documentation
nova-network - OpenStack Compute - network manager
nova-placement-api - OpenStack compute - placement API
nova-scheduler - OpenStack Compute - virtual machine scheduler
nova-volume - OpenStack Compute - storage metapackage
python-nova - OpenStack Compute - libraries
Closes: 882009
Changes:
nova (2:14.0.0-4+deb9u1) stretch-security; urgency=medium
.
* CVE-2017-16239 / OSSA-2017-005: Nova Filter Scheduler bypass through
rebuild action. Applied upstream patch: Validate new image via scheduler
during rebuild (Closes: #882009).
* Fixed nova-placement-api init to use uwsgi. The old init file was simply
not working at all.
* Add CVE-2017-17051_Refined_fix_for_validating_image_on_rebuild.patch.
Checksums-Sha1:
5e5a53a31522dde266b43d080b39de2ce19bc847 5468 nova_14.0.0-4+deb9u1.dsc
031b2bfd9a88483c9277a36744d0184df690e3e3 3696640 nova_14.0.0.orig.tar.xz
d3c62cba6ac2a8ae05de267d0c7da9a707390da1 76312
nova_14.0.0-4+deb9u1.debian.tar.xz
6df08b689a79c2b6f7036a6140e6fc2cd567067a 45750 nova-api_14.0.0-4+deb9u1_all.deb
5d36aa954110004e52fbd440c6655bb728f18fff 21346
nova-cells_14.0.0-4+deb9u1_all.deb
f3de46ed09f753adfd041603dbc4b524f44e7944 22356
nova-cert_14.0.0-4+deb9u1_all.deb
eb60646b5c2b18b658cd429d81d6582a695dfc4a 118710
nova-common_14.0.0-4+deb9u1_all.deb
3272be16be159c18c8a847bddd953401871ea55a 18710
nova-compute-ironic_14.0.0-4+deb9u1_all.deb
8e966052e860dd9b5891f70e7454982ada3aac00 18810
nova-compute-kvm_14.0.0-4+deb9u1_all.deb
b1650fa248d4734ebef59e3c38ef1ffea560972d 18866
nova-compute-lxc_14.0.0-4+deb9u1_all.deb
50655a9c8f5e13935b246bed4f1b7564f0cc27f5 18690
nova-compute-qemu_14.0.0-4+deb9u1_all.deb
dc14ce9fbdd282f9d91c526192b75ca310007281 25102
nova-compute_14.0.0-4+deb9u1_all.deb
1a15bbe377e55b630041344104f9e2a724b7aef4 22252
nova-conductor_14.0.0-4+deb9u1_all.deb
d88a78e82fa529e8ba309a12d61701a618c0b292 22342
nova-console_14.0.0-4+deb9u1_all.deb
e851f28be8acb090e07aab3f7a1d39b0ef963f88 22326
nova-consoleauth_14.0.0-4+deb9u1_all.deb
873bdc3b232c4b09a7f6ae19b0b8c3cca4749af1 26646
nova-consoleproxy_14.0.0-4+deb9u1_all.deb
60b31736626b2d5ef785c092b33af979898db44c 688598
nova-doc_14.0.0-4+deb9u1_all.deb
30916902751c872e324cd739ae42c3cfd133adbb 24406
nova-network_14.0.0-4+deb9u1_all.deb
2f6cd55cd0e2482a868230e9681f2c4643cf09e6 22072
nova-placement-api_14.0.0-4+deb9u1_all.deb
18a331c8426705bf172b17d3899bbe7357eee479 22240
nova-scheduler_14.0.0-4+deb9u1_all.deb
32b303b1a94d5a0037b8c1ac77ef6536f2a859c7 18344
nova-volume_14.0.0-4+deb9u1_all.deb
8a30fd5ce4f478b11d7b8004b482026e1cc0c6a2 23708
nova_14.0.0-4+deb9u1_amd64.buildinfo
170a96c8788aef79eafe05ab38cb4b5f36464474 2544316
python-nova_14.0.0-4+deb9u1_all.deb
Checksums-Sha256:
da60dacc8827a492611ef61993e7af2ad340a92a65a37d3f609eded4c67c7a70 5468
nova_14.0.0-4+deb9u1.dsc
1d15af8329cc26a39c7971b689b4ab81b834763276689089eca80ccaa55de598 3696640
nova_14.0.0.orig.tar.xz
5b766990de3b13916359bd1b27f07235df525789254c9300afe64ec4c3133337 76312
nova_14.0.0-4+deb9u1.debian.tar.xz
415a01ecc304db7da63a7dc2f54925cce9b5bc20f23fb5628fc9573eec3a63de 45750
nova-api_14.0.0-4+deb9u1_all.deb
11b5ecf3ce7b126b58f1b957e7704a074c965544ed8fc1d8ea3d9647db9c9bc9 21346
nova-cells_14.0.0-4+deb9u1_all.deb
137da74d9b91c90b0cc4d8b46f0e1c87ad4b0939aa5aa58305d93341125351bf 22356
nova-cert_14.0.0-4+deb9u1_all.deb
85628affb7c5c72a8451fd0b85a7d39556c7cbaada2acd56c720687cf2339f78 118710
nova-common_14.0.0-4+deb9u1_all.deb
45b2ecc5be4118e9dbd8d636cdca9edb671044dbb0a4efd1127939bd1e1f5a1f 18710
nova-compute-ironic_14.0.0-4+deb9u1_all.deb
9603762e8fb5a582d069a590b00b5dab2b2755479308ea4b3a556a4c6a16645b 18810
nova-compute-kvm_14.0.0-4+deb9u1_all.deb
92570cb324353b0f00347129003feea8be23a61d422c11d6b2e15d8c0cd0d0b4 18866
nova-compute-lxc_14.0.0-4+deb9u1_all.deb
1d7aa69977dc24fdf53919d9861b25fe7c2bf3bcc1590ac5d0ef3a900d06f724 18690
nova-compute-qemu_14.0.0-4+deb9u1_all.deb
bfe59a64fe2aceaefee09eee2d0738395be30e00f0c2ae436174c583f0bb8c54 25102
nova-compute_14.0.0-4+deb9u1_all.deb
42c3ce95bf04a047bbaa3e1171487604b5c3b5e1362812626ba58af366a1e306 22252
nova-conductor_14.0.0-4+deb9u1_all.deb
6601954519ffab90f47a9cee2f015982f5ae9e10c67a5cab680bffa5da8ae126 22342
nova-console_14.0.0-4+deb9u1_all.deb
9d33950676616964ecb6a63ce2accefbcfef24a75f03ab6b356c8d3da07b518a 22326
nova-consoleauth_14.0.0-4+deb9u1_all.deb
90c8e5f58a3fd3589c83997dc8620e82a4ee67c92b454e47ed1a38af2c674aa6 26646
nova-consoleproxy_14.0.0-4+deb9u1_all.deb
c9c5494a2f852108ed96762591d3af51cc072c9b7a4d6598d93d96c50cf9ae25 688598
nova-doc_14.0.0-4+deb9u1_all.deb
852bad903d9fef5814d7049c97c2ea6c6c6f2aaf3082f352876c8dbc4478ab1a 24406
nova-network_14.0.0-4+deb9u1_all.deb
4310565504e5026f3dbec5b9c7f9327c8b14694098078d795a0f3f8bbd3c115a 22072
nova-placement-api_14.0.0-4+deb9u1_all.deb
3f1501c34c103afc7853a34324c81e6db87d73d4098eb36f7b16ce17acafd412 22240
nova-scheduler_14.0.0-4+deb9u1_all.deb
69033836973d64074290b767201292433af2e71e292e2f18d649593b73933be8 18344
nova-volume_14.0.0-4+deb9u1_all.deb
641d90ac57a867d7b5b73121732264d66c15a134e5a92674eef5a856bba3a7c4 23708
nova_14.0.0-4+deb9u1_amd64.buildinfo
cf99f68e2fd104b649a8fa6b686de0d148e9b5ca7ec90236d0b4ee3e3c563d96 2544316
python-nova_14.0.0-4+deb9u1_all.deb
Files:
c9d9523e5bbb3499aba22f856e86279a 5468 net extra nova_14.0.0-4+deb9u1.dsc
31f86e20fe161c0fd6b2ce61bf11bee4 3696640 net extra nova_14.0.0.orig.tar.xz
ae9cbb39124aaf042a714b9a22f3897c 76312 net extra
nova_14.0.0-4+deb9u1.debian.tar.xz
c8dc70bb96695af68e058549d9ed369d 45750 net extra
nova-api_14.0.0-4+deb9u1_all.deb
b52dd862822075e8f92e4792c1e4859e 21346 net extra
nova-cells_14.0.0-4+deb9u1_all.deb
ac1bd87c5e31b120852152a7a8ce247c 22356 net extra
nova-cert_14.0.0-4+deb9u1_all.deb
1f3ee311ff35bcd9a301f79243bb0aab 118710 net extra
nova-common_14.0.0-4+deb9u1_all.deb
f70c3ce6a59c7b7456337c16880b83db 18710 net extra
nova-compute-ironic_14.0.0-4+deb9u1_all.deb
b5d8865c124fb1b96afa239b65d7963b 18810 net extra
nova-compute-kvm_14.0.0-4+deb9u1_all.deb
c96049cd84b09551ddef1256b2f85a8f 18866 net extra
nova-compute-lxc_14.0.0-4+deb9u1_all.deb
bdd52182987ecadfdad22dfe63df32a9 18690 net extra
nova-compute-qemu_14.0.0-4+deb9u1_all.deb
7bac421acc40b7d7d9b0b9294f5ccac0 25102 net extra
nova-compute_14.0.0-4+deb9u1_all.deb
a747ff8da2def739f708eb14da997557 22252 net extra
nova-conductor_14.0.0-4+deb9u1_all.deb
5b4f0d8274d376f34d3f901c2f1d9013 22342 net extra
nova-console_14.0.0-4+deb9u1_all.deb
12a397211f2ec8b2b199b7c24913c26f 22326 net extra
nova-consoleauth_14.0.0-4+deb9u1_all.deb
902474d4384f6cf724a9215e22306102 26646 net extra
nova-consoleproxy_14.0.0-4+deb9u1_all.deb
b76b65fdb911ba1eb066ba369df62039 688598 doc extra
nova-doc_14.0.0-4+deb9u1_all.deb
7838bc822ff5a3e052abcff7525b4d0b 24406 net extra
nova-network_14.0.0-4+deb9u1_all.deb
edde09cfa13a199844d32b0d5340616b 22072 net extra
nova-placement-api_14.0.0-4+deb9u1_all.deb
0a344b6de2f4fb821a8bbad558c5780c 22240 net extra
nova-scheduler_14.0.0-4+deb9u1_all.deb
8939df5b2d2902c237c1f04ef57b99f0 18344 oldlibs extra
nova-volume_14.0.0-4+deb9u1_all.deb
b9933c4761f83c2bd00688dea894eec8 23708 net extra
nova_14.0.0-4+deb9u1_amd64.buildinfo
d8ba88276d065c1b63af1ececb6271d3 2544316 python extra
python-nova_14.0.0-4+deb9u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlooIJgACgkQ1BatFaxr
Q/6oJA/9GezQeg5faCondup/eatrF8ZKv2Is4xeuzrfjPsaReDUiIf3waf0ORG3d
vbkfml12qHwmxT9iUWPMkcRw/Knnl48mpMs+lRNVhWk6HaoPpO9gvRRDqLjnJyTb
5bFJHqgooz8KCTaay0R+TOiH9iVquTghUgk68a1FdUjQBE6MLI1na/Mc33o0o4No
8vSJabpNcOk0/J9GjzUElX213FkYw/p0bpTh/HL/XS/l7FU4HDlp1whDU3wiOEWa
xRGId9nwifM/fAU/nfXHecHE2zGFoP1zO+S/wF7aHPNheJWuhJe7Rl1tPQk5BzvJ
qT+7RuqGPifGE9KsUxQvmi1BBQLL0kZK4DQIvkCvtVZoz6Up28fvXrlpkRBfnsDS
VMqXnVqo+idEVzGRFKF0A25XOdInMiRxZRzelbq8X1LHRAHOL0DVD5BrRHm1frBx
Ky6/N39MEv4qOq2+aV9P5aKa6udhhrWokuiJdV2iDkfQ991i72XIQ9w/OgjBPjE1
jLzFSXCLSoWog5gNQkgNbcPYVH9IpxmoRGvqSio120EJlJ4b4hDtB22NDHb0vyZe
nOeGONNwzG3ceYbuBn8gydrSlsf1wEUr9j+tir1pMnwxGeAS59k1U7VixTRqjjN2
PGQA2vSWxyEMpc4NJnXnUEq7oHwmwUzV00N1OEfynAIv2d15SGI=
=vAXC
-----END PGP SIGNATURE-----
--- End Message ---