Bug#924508: marked as done (neutron: CVE-2019-9735: it's possible to add a security group rule for VRRP with a dport)

[Debian Bug Tracking System]

Your message dated Thu, 14 Mar 2019 10:06:02 +0000
with message-id <e1h4nfs-0003fd...@fasolo.debian.org>
and subject line Bug#924508: fixed in neutron 2:13.0.2-13
has caused the Debian Bug report #924508,
regarding neutron: CVE-2019-9735: it's possible to add a security group rule 
for VRRP with a dport
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: neutron
Version: 2:13.0.2-10
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.launchpad.net/neutron/+bug/1818385

Hi,

The following vulnerability was published for neutron.

CVE-2019-9735[0]:
| An issue was discovered in the iptables firewall module in OpenStack
| Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x
| before 13.0.3. By setting a destination port in a security group rule
| along with a protocol that doesn't support that option (for example,
| VRRP), an authenticated user may block further application of security
| group rules for instances from any project/tenant on the compute hosts
| to which it's applied. (Only deployments using the iptables security
| group driver are affected.)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-9735
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9735
[1] https://bugs.launchpad.net/neutron/+bug/1818385

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: neutron
Source-Version: 2:13.0.2-13

We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated neutron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Mar 2019 00:13:45 +0100
Source: neutron
Binary: neutron-api neutron-common neutron-dhcp-agent neutron-l3-agent 
neutron-linuxbridge-agent neutron-macvtap-agent neutron-metadata-agent 
neutron-metering-agent neutron-openvswitch-agent neutron-plugin-nec-agent 
neutron-rpc-server neutron-server neutron-sriov-agent python3-neutron
Architecture: source all
Version: 2:13.0.2-13
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
 neutron-api - OpenStack virtual network service - API service
 neutron-common - OpenStack virtual network service - common files
 neutron-dhcp-agent - OpenStack virtual network service - DHCP agent
 neutron-l3-agent - OpenStack virtual network service - l3 agent
 neutron-linuxbridge-agent - OpenStack virtual network service - Linux bridge 
agent
 neutron-macvtap-agent - OpenStack virtual network service - MacVTap Agent
 neutron-metadata-agent - OpenStack virtual network service - metadata agent
 neutron-metering-agent - OpenStack virtual network service - metering agent
 neutron-openvswitch-agent - OpenStack virtual network service - Open vSwitch 
agent
 neutron-plugin-nec-agent - OpenStack virtual network service - NEC agent
 neutron-rpc-server - OpenStack virtual network service - RPC service
 neutron-server - OpenStack virtual network service - metapackage for the server
 neutron-sriov-agent - OpenStack virtual network service - SR-IOV agent
 python3-neutron - OpenStack virtual network service - Python library
Closes: 924508
Changes:
 neutron (2:13.0.2-13) unstable; urgency=high
 .
   * CVE-2019-9735: it's possible to add a security group rule for VRRP with a
     dport. Apply upstream patch: When converting sg rules to iptables, do not
     emit dport if not supported. (Closes: #924508).
Checksums-Sha1:
 47d94eb383e7f0542d385e77feb30fedec81afcb 5044 neutron_13.0.2-13.dsc
 8d518a6c3a86492037423bf46fcec9a02e575c82 38204 neutron_13.0.2-13.debian.tar.xz
 58dcc8d1679cbd2ae4916bfb9d9203d86fe2cded 26736 neutron-api_13.0.2-13_all.deb
 4b991b411ade86da6c0702f336f6f5a4c420814b 62688 neutron-common_13.0.2-13_all.deb
 a23e500523a94011d0675d638ce52b80b104f0d9 24640 
neutron-dhcp-agent_13.0.2-13_all.deb
 7d8c72ac4a0291368df0e9676f4a5dd4619d72de 14904 
neutron-l3-agent_13.0.2-13_all.deb
 7658f435e05fbd831e94247f7fc6b863f6907d48 18532 
neutron-linuxbridge-agent_13.0.2-13_all.deb
 599eb117b0151250c0b50bc06887dfb3da26d625 17100 
neutron-macvtap-agent_13.0.2-13_all.deb
 5687d7aec0e11460144eeb92393119caf4e7dea4 26708 
neutron-metadata-agent_13.0.2-13_all.deb
 95a75153aa8128cdb853371877d1ceafd9f15bef 17320 
neutron-metering-agent_13.0.2-13_all.deb
 2d27327db96cd94216a826b9cac7124c6a233129 25388 
neutron-openvswitch-agent_13.0.2-13_all.deb
 3da16fb8e54972b8f5f9601614ef9ad88c65ac80 12132 
neutron-plugin-nec-agent_13.0.2-13_all.deb
 919d83e19bd0d41213cf4690e7b01362b196621e 15188 
neutron-rpc-server_13.0.2-13_all.deb
 35256081a278a95ab377412ad6dde1c890fd69f3 12096 neutron-server_13.0.2-13_all.deb
 56c0ad4ae3355e1167287a038ddad32c1fc4c207 14836 
neutron-sriov-agent_13.0.2-13_all.deb
 73ba747c5ab519bf082cf7395c97419f25049aa3 18597 
neutron_13.0.2-13_amd64.buildinfo
 00105332ce97f1cbd593eb4828c40faac351bdf0 1519168 
python3-neutron_13.0.2-13_all.deb
Checksums-Sha256:
 07a939b6037e920f0b07c4fdc2042052932e4a0764a4527d0d77403a73857e5c 5044 
neutron_13.0.2-13.dsc
 90f4f96abd9a68f9d04560af448bbfa1552fed65b4b289b817447e94688300a0 38204 
neutron_13.0.2-13.debian.tar.xz
 26f76e48ffe9615a09d58f58770d49bbda1766b3cc4aa269f51e75868c896cf9 26736 
neutron-api_13.0.2-13_all.deb
 205bdd08f80fb38bf83cd60a7628442b9f9aa16e4a6549f3f7c5f5313a90073b 62688 
neutron-common_13.0.2-13_all.deb
 7703a7aa097f3ec09930e68a66107c82354a478b4a2a91675855d6c0d4e57ef0 24640 
neutron-dhcp-agent_13.0.2-13_all.deb
 746a8ce8f606d86eadc79f0f94e839bd07720e77148a58970e538add0e9a3782 14904 
neutron-l3-agent_13.0.2-13_all.deb
 b814de998f34c96caa12869cbe88ad20ea76714e71d05db98e34e1e6e5e4429a 18532 
neutron-linuxbridge-agent_13.0.2-13_all.deb
 6801a427e3460dbb3b30680d492b18e5a96b2252d664865e9b983d70929db279 17100 
neutron-macvtap-agent_13.0.2-13_all.deb
 7a2b08f33a16c16d74360987944d728c5a1fa9d85bec69772c86efb95957611d 26708 
neutron-metadata-agent_13.0.2-13_all.deb
 76af0c51e32be7afa66b88dce083ab21073edd53ec929a2147951b567c0eb6d0 17320 
neutron-metering-agent_13.0.2-13_all.deb
 3e1f67726e921d0a6c0d3792f91374a3b297017290beb7d59a7f6282c235bfda 25388 
neutron-openvswitch-agent_13.0.2-13_all.deb
 3aeae937bd1ea6a78c71977dbcdda45626f1de1ba628718b9bbf8d1e1a63abea 12132 
neutron-plugin-nec-agent_13.0.2-13_all.deb
 f27ab58339127298949bfbb03c1bdf9a4dec6a8de7a7eea91a29396a971ddaad 15188 
neutron-rpc-server_13.0.2-13_all.deb
 a55367aafc391360a07aad5b9ea699d384deaa91dd04677d8839061ce2db7802 12096 
neutron-server_13.0.2-13_all.deb
 035ab612258f38907c53f389efe2fb9250dd6b06b7b8d3efb44fc533c6c1ccad 14836 
neutron-sriov-agent_13.0.2-13_all.deb
 17fd1ea58d850a89c96fc768fe4a796d66e2cdedc9f7166efba3eb4d844c051b 18597 
neutron_13.0.2-13_amd64.buildinfo
 1ab709b7c3f12038380ca934f0d6e55e608294d9154efacb2cc85a0bc78239ce 1519168 
python3-neutron_13.0.2-13_all.deb
Files:
 e09702ca9551f75a4aa55311c0aeef2b 5044 net optional neutron_13.0.2-13.dsc
 b00ac9287bcd15ede15bf7793e3cc12d 38204 net optional 
neutron_13.0.2-13.debian.tar.xz
 2cd90e77bb74d7568474dcbd26faee1b 26736 net optional 
neutron-api_13.0.2-13_all.deb
 d145d932cbbffbf65762cd787285c8e5 62688 net optional 
neutron-common_13.0.2-13_all.deb
 46529dbca27007a98929a9f7bdd140f8 24640 net optional 
neutron-dhcp-agent_13.0.2-13_all.deb
 f805a4e781cfc412c18c3da8de065c87 14904 net optional 
neutron-l3-agent_13.0.2-13_all.deb
 fa4c6a8bfa2accdc54417d744b998723 18532 net optional 
neutron-linuxbridge-agent_13.0.2-13_all.deb
 a5636517f9b8f1eee05826918db5a956 17100 net optional 
neutron-macvtap-agent_13.0.2-13_all.deb
 f131af27cb00e905e2d0ea5e2fed258b 26708 net optional 
neutron-metadata-agent_13.0.2-13_all.deb
 0af5b605c6d0608a645426a00ba08e84 17320 net optional 
neutron-metering-agent_13.0.2-13_all.deb
 e1d3081810afe2aec04ea1ecb387eec4 25388 net optional 
neutron-openvswitch-agent_13.0.2-13_all.deb
 73015d2b6c1c461d701f9311496fbe69 12132 net optional 
neutron-plugin-nec-agent_13.0.2-13_all.deb
 e292c2cd01b9d4621588f03b5b47c261 15188 net optional 
neutron-rpc-server_13.0.2-13_all.deb
 274abdc68f9f979f997678b12e4e6153 12096 net optional 
neutron-server_13.0.2-13_all.deb
 e25b939f0fd0e90e36aaa87b93be1504 14836 net optional 
neutron-sriov-agent_13.0.2-13_all.deb
 5c5eba11a59373197ab685f08d2d43ef 18597 net optional 
neutron_13.0.2-13_amd64.buildinfo
 841a1bf2c89b6d813e874c0372dc0716 1519168 python optional 
python3-neutron_13.0.2-13_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlyKIlcACgkQq1PlA1ho
d6Z1uw//ZdjDeWDIrNJnO4lelw8ssybM/S9IaIG2iwgndPnoNqdFWU6Xq8ZMoE/M
PVMtzjEZ0JEb1yTvKfVIMaccAiCCTrZMjrNAvXm4YGG25GZ2SuJnLAW3RVMXTLX9
e4wlwjDmLNLYqxjpR9pjpWiH9+PXPh2fYMmXu5VNBLOoeuU2YGh2Jk42WD6zdwMq
6+1EZxcjvRJqz4L/mNf2f6vBdfhF8wG0OekARiE0qZXoDKliWV18+iy25OItiSjB
0thmyFS9LwQ0wh2f3fJtOkAc2wuUxP7d+Y4K35OXIMWwRwu3IqurkAmA32lJPrHh
Gi8jg+U+5/KK+L+zPI9JZcfohdPZKrq0PycD7hV0YVySSy/bBbJAvgN9+/7THfb8
1d0lW0IkbDxyWxU+yQxxwJ579P0lll3bPQGCerDvJHx93OF3znvf1pgO7pRU39S/
0tAaATHPtxgUFIjf4+IIC70a85MXite6x787pkZXcFMAPZxpAX6JtH1DnGpNOvr2
hGg6s4rmtUZqUEVFwaGuEgge91Py3HSgQzOrZc4T203Opf2uxCG4O5j5CGnNHoWR
MJNiNXrh0T1Y9iqH2osbuSMi5IxtE0xWvnQ/enI4XJzNHYqrpfVrzzfNxKq10q5/
2b/0CJdPhFUgOp1SJFIuvVDV/j/getgWbJoThdzTnj0MynnL/rU=
=MoKj
-----END PGP SIGNATURE-----

--- End Message ---