Your message dated Sat, 09 Dec 2017 12:03:01 +0000 with message-id <e1endqp-0004lx...@fasolo.debian.org> and subject line Bug#882009: fixed in nova 2:14.0.0-4+deb9u1 has caused the Debian Bug report #882009, regarding CVE-2017-16239: Nova Filter Scheduler bypass through rebuild action to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882009 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nova Version: 2:14.0.0-4 Severity: important Tags: patch security Reporting the OpenStack Security Announcement, uploading soon. ================================================================== OSSA-2017-005: Nova Filter Scheduler bypass through rebuild action ================================================================== :Date: November 14, 2017 :CVE: CVE-2017-16239 Affects ~~~~~~~ - Nova: <=14.0.9, >=15.0.0 <=15.0.7, >=16.0.0 <=16.0.2 Description ~~~~~~~~~~~ George Shuklin from servers.com reported a vulnerability in Nova. By rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected. Patches ~~~~~~~ - https://review.openstack.org/519684 (Newton) - https://review.openstack.org/519681 (Ocata) - https://review.openstack.org/519672 (Pike) - https://review.openstack.org/519662 (Queens) Credits ~~~~~~~ - George Shuklin from Servers.com (CVE-2017-16239) References ~~~~~~~~~~ - https://launchpad.net/bugs/1664931 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16239 -- Tristan Cacqueray OpenStack Vulnerability Management Team
--- End Message ---
--- Begin Message ---Source: nova Source-Version: 2:14.0.0-4+deb9u1 We believe that the bug you reported is fixed in the latest version of nova, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 882...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated nova package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 17 Nov 2017 15:41:15 +0000 Source: nova Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-qemu nova-compute-kvm nova-compute-ironic nova-conductor nova-cert nova-scheduler nova-volume nova-api nova-network nova-console nova-consoleauth nova-doc nova-cells nova-consoleproxy nova-placement-api Architecture: source all Version: 2:14.0.0-4+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: nova-api - OpenStack Compute - compute API frontend nova-cells - Openstack Compute - cells nova-cert - OpenStack Compute - certificate manager nova-common - OpenStack Compute - common files nova-compute - OpenStack Compute - compute node nova-compute-ironic - OpenStack Compute - compute node (Ironic) nova-compute-kvm - OpenStack Compute - compute node (KVM) nova-compute-lxc - OpenStack Compute - compute node (LXC) nova-compute-qemu - OpenStack Compute - compute node (QEmu) nova-conductor - OpenStack Compute - conductor service nova-console - OpenStack Compute - console nova-consoleauth - OpenStack Compute - Console Authenticator nova-consoleproxy - OpenStack Compute - NoVNC proxy nova-doc - OpenStack Compute - documentation nova-network - OpenStack Compute - network manager nova-placement-api - OpenStack compute - placement API nova-scheduler - OpenStack Compute - virtual machine scheduler nova-volume - OpenStack Compute - storage metapackage python-nova - OpenStack Compute - libraries Closes: 882009 Changes: nova (2:14.0.0-4+deb9u1) stretch-security; urgency=medium . * CVE-2017-16239 / OSSA-2017-005: Nova Filter Scheduler bypass through rebuild action. Applied upstream patch: Validate new image via scheduler during rebuild (Closes: #882009). * Fixed nova-placement-api init to use uwsgi. The old init file was simply not working at all. * Add CVE-2017-17051_Refined_fix_for_validating_image_on_rebuild.patch. Checksums-Sha1: 5e5a53a31522dde266b43d080b39de2ce19bc847 5468 nova_14.0.0-4+deb9u1.dsc 031b2bfd9a88483c9277a36744d0184df690e3e3 3696640 nova_14.0.0.orig.tar.xz d3c62cba6ac2a8ae05de267d0c7da9a707390da1 76312 nova_14.0.0-4+deb9u1.debian.tar.xz 6df08b689a79c2b6f7036a6140e6fc2cd567067a 45750 nova-api_14.0.0-4+deb9u1_all.deb 5d36aa954110004e52fbd440c6655bb728f18fff 21346 nova-cells_14.0.0-4+deb9u1_all.deb f3de46ed09f753adfd041603dbc4b524f44e7944 22356 nova-cert_14.0.0-4+deb9u1_all.deb eb60646b5c2b18b658cd429d81d6582a695dfc4a 118710 nova-common_14.0.0-4+deb9u1_all.deb 3272be16be159c18c8a847bddd953401871ea55a 18710 nova-compute-ironic_14.0.0-4+deb9u1_all.deb 8e966052e860dd9b5891f70e7454982ada3aac00 18810 nova-compute-kvm_14.0.0-4+deb9u1_all.deb b1650fa248d4734ebef59e3c38ef1ffea560972d 18866 nova-compute-lxc_14.0.0-4+deb9u1_all.deb 50655a9c8f5e13935b246bed4f1b7564f0cc27f5 18690 nova-compute-qemu_14.0.0-4+deb9u1_all.deb dc14ce9fbdd282f9d91c526192b75ca310007281 25102 nova-compute_14.0.0-4+deb9u1_all.deb 1a15bbe377e55b630041344104f9e2a724b7aef4 22252 nova-conductor_14.0.0-4+deb9u1_all.deb d88a78e82fa529e8ba309a12d61701a618c0b292 22342 nova-console_14.0.0-4+deb9u1_all.deb e851f28be8acb090e07aab3f7a1d39b0ef963f88 22326 nova-consoleauth_14.0.0-4+deb9u1_all.deb 873bdc3b232c4b09a7f6ae19b0b8c3cca4749af1 26646 nova-consoleproxy_14.0.0-4+deb9u1_all.deb 60b31736626b2d5ef785c092b33af979898db44c 688598 nova-doc_14.0.0-4+deb9u1_all.deb 30916902751c872e324cd739ae42c3cfd133adbb 24406 nova-network_14.0.0-4+deb9u1_all.deb 2f6cd55cd0e2482a868230e9681f2c4643cf09e6 22072 nova-placement-api_14.0.0-4+deb9u1_all.deb 18a331c8426705bf172b17d3899bbe7357eee479 22240 nova-scheduler_14.0.0-4+deb9u1_all.deb 32b303b1a94d5a0037b8c1ac77ef6536f2a859c7 18344 nova-volume_14.0.0-4+deb9u1_all.deb 8a30fd5ce4f478b11d7b8004b482026e1cc0c6a2 23708 nova_14.0.0-4+deb9u1_amd64.buildinfo 170a96c8788aef79eafe05ab38cb4b5f36464474 2544316 python-nova_14.0.0-4+deb9u1_all.deb Checksums-Sha256: da60dacc8827a492611ef61993e7af2ad340a92a65a37d3f609eded4c67c7a70 5468 nova_14.0.0-4+deb9u1.dsc 1d15af8329cc26a39c7971b689b4ab81b834763276689089eca80ccaa55de598 3696640 nova_14.0.0.orig.tar.xz 5b766990de3b13916359bd1b27f07235df525789254c9300afe64ec4c3133337 76312 nova_14.0.0-4+deb9u1.debian.tar.xz 415a01ecc304db7da63a7dc2f54925cce9b5bc20f23fb5628fc9573eec3a63de 45750 nova-api_14.0.0-4+deb9u1_all.deb 11b5ecf3ce7b126b58f1b957e7704a074c965544ed8fc1d8ea3d9647db9c9bc9 21346 nova-cells_14.0.0-4+deb9u1_all.deb 137da74d9b91c90b0cc4d8b46f0e1c87ad4b0939aa5aa58305d93341125351bf 22356 nova-cert_14.0.0-4+deb9u1_all.deb 85628affb7c5c72a8451fd0b85a7d39556c7cbaada2acd56c720687cf2339f78 118710 nova-common_14.0.0-4+deb9u1_all.deb 45b2ecc5be4118e9dbd8d636cdca9edb671044dbb0a4efd1127939bd1e1f5a1f 18710 nova-compute-ironic_14.0.0-4+deb9u1_all.deb 9603762e8fb5a582d069a590b00b5dab2b2755479308ea4b3a556a4c6a16645b 18810 nova-compute-kvm_14.0.0-4+deb9u1_all.deb 92570cb324353b0f00347129003feea8be23a61d422c11d6b2e15d8c0cd0d0b4 18866 nova-compute-lxc_14.0.0-4+deb9u1_all.deb 1d7aa69977dc24fdf53919d9861b25fe7c2bf3bcc1590ac5d0ef3a900d06f724 18690 nova-compute-qemu_14.0.0-4+deb9u1_all.deb bfe59a64fe2aceaefee09eee2d0738395be30e00f0c2ae436174c583f0bb8c54 25102 nova-compute_14.0.0-4+deb9u1_all.deb 42c3ce95bf04a047bbaa3e1171487604b5c3b5e1362812626ba58af366a1e306 22252 nova-conductor_14.0.0-4+deb9u1_all.deb 6601954519ffab90f47a9cee2f015982f5ae9e10c67a5cab680bffa5da8ae126 22342 nova-console_14.0.0-4+deb9u1_all.deb 9d33950676616964ecb6a63ce2accefbcfef24a75f03ab6b356c8d3da07b518a 22326 nova-consoleauth_14.0.0-4+deb9u1_all.deb 90c8e5f58a3fd3589c83997dc8620e82a4ee67c92b454e47ed1a38af2c674aa6 26646 nova-consoleproxy_14.0.0-4+deb9u1_all.deb c9c5494a2f852108ed96762591d3af51cc072c9b7a4d6598d93d96c50cf9ae25 688598 nova-doc_14.0.0-4+deb9u1_all.deb 852bad903d9fef5814d7049c97c2ea6c6c6f2aaf3082f352876c8dbc4478ab1a 24406 nova-network_14.0.0-4+deb9u1_all.deb 4310565504e5026f3dbec5b9c7f9327c8b14694098078d795a0f3f8bbd3c115a 22072 nova-placement-api_14.0.0-4+deb9u1_all.deb 3f1501c34c103afc7853a34324c81e6db87d73d4098eb36f7b16ce17acafd412 22240 nova-scheduler_14.0.0-4+deb9u1_all.deb 69033836973d64074290b767201292433af2e71e292e2f18d649593b73933be8 18344 nova-volume_14.0.0-4+deb9u1_all.deb 641d90ac57a867d7b5b73121732264d66c15a134e5a92674eef5a856bba3a7c4 23708 nova_14.0.0-4+deb9u1_amd64.buildinfo cf99f68e2fd104b649a8fa6b686de0d148e9b5ca7ec90236d0b4ee3e3c563d96 2544316 python-nova_14.0.0-4+deb9u1_all.deb Files: c9d9523e5bbb3499aba22f856e86279a 5468 net extra nova_14.0.0-4+deb9u1.dsc 31f86e20fe161c0fd6b2ce61bf11bee4 3696640 net extra nova_14.0.0.orig.tar.xz ae9cbb39124aaf042a714b9a22f3897c 76312 net extra nova_14.0.0-4+deb9u1.debian.tar.xz c8dc70bb96695af68e058549d9ed369d 45750 net extra nova-api_14.0.0-4+deb9u1_all.deb b52dd862822075e8f92e4792c1e4859e 21346 net extra nova-cells_14.0.0-4+deb9u1_all.deb ac1bd87c5e31b120852152a7a8ce247c 22356 net extra nova-cert_14.0.0-4+deb9u1_all.deb 1f3ee311ff35bcd9a301f79243bb0aab 118710 net extra nova-common_14.0.0-4+deb9u1_all.deb f70c3ce6a59c7b7456337c16880b83db 18710 net extra nova-compute-ironic_14.0.0-4+deb9u1_all.deb b5d8865c124fb1b96afa239b65d7963b 18810 net extra nova-compute-kvm_14.0.0-4+deb9u1_all.deb c96049cd84b09551ddef1256b2f85a8f 18866 net extra nova-compute-lxc_14.0.0-4+deb9u1_all.deb bdd52182987ecadfdad22dfe63df32a9 18690 net extra nova-compute-qemu_14.0.0-4+deb9u1_all.deb 7bac421acc40b7d7d9b0b9294f5ccac0 25102 net extra nova-compute_14.0.0-4+deb9u1_all.deb a747ff8da2def739f708eb14da997557 22252 net extra nova-conductor_14.0.0-4+deb9u1_all.deb 5b4f0d8274d376f34d3f901c2f1d9013 22342 net extra nova-console_14.0.0-4+deb9u1_all.deb 12a397211f2ec8b2b199b7c24913c26f 22326 net extra nova-consoleauth_14.0.0-4+deb9u1_all.deb 902474d4384f6cf724a9215e22306102 26646 net extra nova-consoleproxy_14.0.0-4+deb9u1_all.deb b76b65fdb911ba1eb066ba369df62039 688598 doc extra nova-doc_14.0.0-4+deb9u1_all.deb 7838bc822ff5a3e052abcff7525b4d0b 24406 net extra nova-network_14.0.0-4+deb9u1_all.deb edde09cfa13a199844d32b0d5340616b 22072 net extra nova-placement-api_14.0.0-4+deb9u1_all.deb 0a344b6de2f4fb821a8bbad558c5780c 22240 net extra nova-scheduler_14.0.0-4+deb9u1_all.deb 8939df5b2d2902c237c1f04ef57b99f0 18344 oldlibs extra nova-volume_14.0.0-4+deb9u1_all.deb b9933c4761f83c2bd00688dea894eec8 23708 net extra nova_14.0.0-4+deb9u1_amd64.buildinfo d8ba88276d065c1b63af1ececb6271d3 2544316 python extra python-nova_14.0.0-4+deb9u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlooIJgACgkQ1BatFaxr Q/6oJA/9GezQeg5faCondup/eatrF8ZKv2Is4xeuzrfjPsaReDUiIf3waf0ORG3d vbkfml12qHwmxT9iUWPMkcRw/Knnl48mpMs+lRNVhWk6HaoPpO9gvRRDqLjnJyTb 5bFJHqgooz8KCTaay0R+TOiH9iVquTghUgk68a1FdUjQBE6MLI1na/Mc33o0o4No 8vSJabpNcOk0/J9GjzUElX213FkYw/p0bpTh/HL/XS/l7FU4HDlp1whDU3wiOEWa xRGId9nwifM/fAU/nfXHecHE2zGFoP1zO+S/wF7aHPNheJWuhJe7Rl1tPQk5BzvJ qT+7RuqGPifGE9KsUxQvmi1BBQLL0kZK4DQIvkCvtVZoz6Up28fvXrlpkRBfnsDS VMqXnVqo+idEVzGRFKF0A25XOdInMiRxZRzelbq8X1LHRAHOL0DVD5BrRHm1frBx Ky6/N39MEv4qOq2+aV9P5aKa6udhhrWokuiJdV2iDkfQ991i72XIQ9w/OgjBPjE1 jLzFSXCLSoWog5gNQkgNbcPYVH9IpxmoRGvqSio120EJlJ4b4hDtB22NDHb0vyZe nOeGONNwzG3ceYbuBn8gydrSlsf1wEUr9j+tir1pMnwxGeAS59k1U7VixTRqjjN2 PGQA2vSWxyEMpc4NJnXnUEq7oHwmwUzV00N1OEfynAIv2d15SGI= =vAXC -----END PGP SIGNATURE-----
--- End Message ---
