Hi Thomas, On Sat, Apr 06, 2019 at 11:46:17PM +0200, Thomas Goirand wrote: > On 4/6/19 9:49 AM, Salvatore Bonaccorso wrote: > > Source: neutron > > Version: 2:13.0.2-14 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > Forwarded: https://bugs.launchpad.net/ossa/+bug/1813007 > > > > Hi, > > > > The following vulnerability was published for neutron. > > > > CVE-2019-10876[0]: > > | An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x > > | before 12.0.6, and 13.x before 13.0.3. By creating two security groups > > | with separate/overlapping port ranges, an authenticated user may > > | prevent Neutron from being able to configure networks on any compute > > | nodes where those security groups are present, because of an Open > > | vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing > > | neutron-openvswitch-agent are affected. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-10876 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10876 > > [1] https://bugs.launchpad.net/ossa/+bug/1813007 > > > > Please adjust the affected versions in the BTS as needed. > > > > Regards, > > Salvatore > > Hi Salvatore, > > I had a look at the code, and it changed a lot since the version in > Stretch, which doesn't seem to have the issue. > > Moreover, if you read closely > https://bugs.launchpad.net/ossa/+bug/1813007, and especially comment > #48, it looks like this issue is only there since OpenStack Pike. The > version of OpenStack that is in Stretch is Newton (so, one year before > that). Therefore, Stretch (and before) isn't affected. Please update the > security tracker.
Thanks for the research. I have made the change to the security-tracker data[1]. [1] https://salsa.debian.org/security-tracker-team/security-tracker/commit/f2b65a8593ea7707cdfec20125cec37c672908d1 > I have uploaded a fix for Rocky (currently in Sid/Buster), and will ask > for the unblock on Monday. Thank you! Regards, Salvatore