On 4/6/19 9:49 AM, Salvatore Bonaccorso wrote: > Source: neutron > Version: 2:13.0.2-14 > Severity: grave > Tags: security upstream > Justification: user security hole > Forwarded: https://bugs.launchpad.net/ossa/+bug/1813007 > > Hi, > > The following vulnerability was published for neutron. > > CVE-2019-10876[0]: > | An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x > | before 12.0.6, and 13.x before 13.0.3. By creating two security groups > | with separate/overlapping port ranges, an authenticated user may > | prevent Neutron from being able to configure networks on any compute > | nodes where those security groups are present, because of an Open > | vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing > | neutron-openvswitch-agent are affected. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-10876 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10876 > [1] https://bugs.launchpad.net/ossa/+bug/1813007 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore
Hi Salvatore, I had a look at the code, and it changed a lot since the version in Stretch, which doesn't seem to have the issue. Moreover, if you read closely https://bugs.launchpad.net/ossa/+bug/1813007, and especially comment #48, it looks like this issue is only there since OpenStack Pike. The version of OpenStack that is in Stretch is Newton (so, one year before that). Therefore, Stretch (and before) isn't affected. Please update the security tracker. I have uploaded a fix for Rocky (currently in Sid/Buster), and will ask for the unblock on Monday. Cheers, Thomas Goirand (zigo)
