Your message dated Sat, 16 Oct 2021 14:32:07 +0000 with message-id <e1mbkjh-0001zx...@fasolo.debian.org> and subject line Bug#993398: fixed in neutron 2:17.2.1-0+deb11u1 has caused the Debian Bug report #993398, regarding neutron: CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 993398: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993398 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: neutron Version: 2:18.1.0-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://launchpad.net/bugs/1939733 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2:17.1.1-6 Hi, The following vulnerability was published for neutron. CVE-2021-40085[0]: | An issue was discovered in OpenStack Neutron before 16.4.1, 17.x | before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can | reconfigure dnsmasq via a crafted extra_dhcp_opts value. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-40085 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085 [1] https://launchpad.net/bugs/1939733 [2] https://www.openwall.com/lists/oss-security/2021/08/31/2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: neutron Source-Version: 2:17.2.1-0+deb11u1 Done: Michal Arbet <michal.ar...@ultimum.io> We believe that the bug you reported is fixed in the latest version of neutron, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 993...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michal Arbet <michal.ar...@ultimum.io> (supplier of updated neutron package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 06 Sep 2021 15:55:27 +0200 Source: neutron Architecture: source Version: 2:17.2.1-0+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Michal Arbet <michal.ar...@ultimum.io> Closes: 993398 Changes: neutron (2:17.2.1-0+deb11u1) bullseye-security; urgency=medium . * New upstream release, includes: - CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an authenticated user may add arbitrary configuration to the dnsmasq process in order to crash the service, change parameters for other tenants sharing the same interface, or otherwise alter that daemon's behavior. This vulnerability may also be used to trigger a configuration parsing buffer overflow in versions of dnsmasq prior to 2.81, which could lead to remote code execution. All Neutron deployments are affected. (Closes: #993398). * d/patches: Remove upstream applied patches Checksums-Sha1: f31ae65f59d46571686957908ecff29da1b96974 4977 neutron_17.2.1-0+deb11u1.dsc 540773951ae2ed97324b4abb20e9359784ed9bca 10993216 neutron_17.2.1.orig.tar.xz 01c3eda372198a97862d8911d6cf5910212b9351 50020 neutron_17.2.1-0+deb11u1.debian.tar.xz 24e896a546e6e2dacbcd1015c080536fcdc231ac 20378 neutron_17.2.1-0+deb11u1_amd64.buildinfo Checksums-Sha256: ed26c8901fd07a5250323436c3afe952f482fa8e2bc57fa8d1a094deb5364580 4977 neutron_17.2.1-0+deb11u1.dsc 526ebe513911123c3e293eb316d944bb32326c68dd963848b92d6af100234d96 10993216 neutron_17.2.1.orig.tar.xz a43db7695afce38950bea64f7b14dd93cc9ab6a9ffafecf4230702e690038c62 50020 neutron_17.2.1-0+deb11u1.debian.tar.xz 6d0c6cde2115a0bdd07dac4e97d9fd3e583f91b66b4dd05c1cdb692136a13d76 20378 neutron_17.2.1-0+deb11u1_amd64.buildinfo Files: 28e9d83ac1a75c571e2cd8cf3f787a25 4977 net optional neutron_17.2.1-0+deb11u1.dsc cbfbfa0731d5f1ad6d285ab761ed9c94 10993216 net optional neutron_17.2.1.orig.tar.xz 666c735b14fe0f709f08cf31f103655f 50020 net optional neutron_17.2.1-0+deb11u1.debian.tar.xz b6415a47e8346fc3827638a881fb9d56 20378 net optional neutron_17.2.1-0+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmFcax4ACgkQ1BatFaxr Q/7MpRAAlcCXvdtEjx8wN0eOAy8Fb2ErlUd9Obx9dyV7dqb3qabkkMmLZfwuUMDD Hp3czuaU8M/i7/fjvXf2kH4sjUxmXqv0bbKqG8j27T+MzTnuxAndEAYNwfHIM8JH vhUYmisuOkokBMHwsH389fbrRZl7ntIRYn/3BOVx0ea30LQn3lxbacmjKmal/Td3 k+9huFR6ubLv7fZVZldMBDMJwCM3tIUvlcFzZ2FSfgMfGKecXi99p+ET0AxOjTob cuAAvVoyzWCZdgXJJnJSQnT8u7o+7kQDZEJgzUDUvbHGHY6aZ64oJe83XX6gpc6R CdS5HiIUrbqEoX3SS4oMpPVe2/6Tub8wLiHPh6D1gbXyLfYHtQ9LpW0wjwZCrYII W/TkV+fSNu+Xt8zYic5shB5D0IHfTQQ9g5dnqI5Qf6o09T0hA0MQsS6iiZRJzQDe +jJEeeoU+omVvrZXpcDmRBhRQmeDMKzFqr/q3nDRnNxI/YsU6QZD3jIgtjjmMToS G9ThWqfVqoQ9ZZ5ZAm8bieV4paU8KXU51SitWkBPytNzk09a4alAlmkT97LU0gqT TTUYiyuWmt+Gxs8P6pskgHVPaozoqvXhQ6XlsQNzifpYjfPJ2GxymI5wqY9t4gG+ DabVguXkEIAxezoFT7htx1hDw1DN5OK4erHnUTK/Cdn3sgpKI+U= =EECl -----END PGP SIGNATURE-----
--- End Message ---
