Source: aodh Version: 3.0.0-4 Severity: important Tags: upstream security Hi,
the following vulnerability was published for aodh. CVE-2017-12440[0]: | Aodh as packaged in Openstack Ocata and Newton before change-ID | I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not | verify that trust IDs belong to the user when creating alarm action | with the scheme trust+http, which allows remote authenticated users | with knowledge of trust IDs where Aodh is the trustee to obtain a | Keystone token and perform unspecified authenticated actions by adding | an alarm action with the scheme trust+http, and providing a trust id | where Aodh is the trustee. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12440 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12440 [1] https://wiki.openstack.org/wiki/OSSN/OSSN-0080 Regards, Salvatore
