Bug#924508: marked as done (neutron: CVE-2019-9735: it's possible to add a security group rule for VRRP with a dport)

[Debian Bug Tracking System]

Your message dated Fri, 29 Mar 2019 01:20:12 +0000
with message-id <e1h9gbo-0007mh...@fasolo.debian.org>
and subject line Bug#924508: fixed in neutron 2:9.1.1-3+deb9u1
has caused the Debian Bug report #924508,
regarding neutron: CVE-2019-9735: it's possible to add a security group rule 
for VRRP with a dport
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: neutron
Version: 2:13.0.2-10
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.launchpad.net/neutron/+bug/1818385

Hi,

The following vulnerability was published for neutron.

CVE-2019-9735[0]:
| An issue was discovered in the iptables firewall module in OpenStack
| Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x
| before 13.0.3. By setting a destination port in a security group rule
| along with a protocol that doesn't support that option (for example,
| VRRP), an authenticated user may block further application of security
| group rules for instances from any project/tenant on the compute hosts
| to which it's applied. (Only deployments using the iptables security
| group driver are affected.)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-9735
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9735
[1] https://bugs.launchpad.net/neutron/+bug/1818385

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: neutron
Source-Version: 2:9.1.1-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
neutron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated neutron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Mar 2019 10:41:17 +0100
Source: neutron
Binary: python-neutron neutron-server neutron-common neutron-plugin-nec-agent 
neutron-l3-agent neutron-dhcp-agent neutron-metadata-agent 
neutron-metering-agent neutron-openvswitch-agent neutron-linuxbridge-agent 
neutron-plugin-linuxbridge-agent neutron-plugin-openvswitch-agent 
neutron-sriov-agent neutron-macvtap-agent
Architecture: source all
Version: 2:9.1.1-3+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
 neutron-common - OpenStack virtual network service - common files
 neutron-dhcp-agent - OpenStack virtual network service - DHCP agent
 neutron-l3-agent - OpenStack virtual network service - l3 agent
 neutron-linuxbridge-agent - OpenStack virtual network service - Linux bridge 
agent
 neutron-macvtap-agent - OpenStack virtual network service - MacVTap Agent
 neutron-metadata-agent - OpenStack virtual network service - metadata agent
 neutron-metering-agent - OpenStack virtual network service - metering agent
 neutron-openvswitch-agent - OpenStack virtual network service - Open vSwitch 
agent
 neutron-plugin-linuxbridge-agent - transitional dummy package for switching to 
Neutron Linuxbridge a
 neutron-plugin-nec-agent - OpenStack virtual network service - NEC agent
 neutron-plugin-openvswitch-agent - transitional dummy package for switching to 
Neutron OpenVswitch a
 neutron-server - OpenStack virtual network service - server
 neutron-sriov-agent - OpenStack virtual network service - SR-IOV agent
 python-neutron - OpenStack virtual network service - Python library
Closes: 924508
Changes:
 neutron (2:9.1.1-3+deb9u1) stretch-security; urgency=medium
 .
   * CVE-2019-9735: it's possible to add a security group rule for VRRP with a
     dport. Apply upstream patch: When converting sg rules to iptables, do not
     emit dport if not supported. (Closes: #924508).
Checksums-Sha1:
 57f256a0d2c0f00bc167756061fffdd9e6e80091 4926 neutron_9.1.1-3+deb9u1.dsc
 029ab9c8d4046e918401569c2238a9384e0d18a0 2046540 neutron_9.1.1.orig.tar.xz
 d24e651edbc4e1edb4799251b70db33a52a830a2 44852 
neutron_9.1.1-3+deb9u1.debian.tar.xz
 943dfcc557661098b34b5e4d8a5748879ff16fde 66770 
neutron-common_9.1.1-3+deb9u1_all.deb
 d9437588453bd2f9d0c9246842007e68eec86601 22910 
neutron-dhcp-agent_9.1.1-3+deb9u1_all.deb
 cbfb5dcce8c8b64f76aa642c0c9fbd5080674cb4 15488 
neutron-l3-agent_9.1.1-3+deb9u1_all.deb
 a29d7573bbc7d681f15e8b6541e4233fe6450f80 15028 
neutron-linuxbridge-agent_9.1.1-3+deb9u1_all.deb
 29cdf5e24d12e60be25ee7d0520dbd8e52dad1fa 13994 
neutron-macvtap-agent_9.1.1-3+deb9u1_all.deb
 496f2870c0fa61642266fff5cd66ed852b3dc5f8 34760 
neutron-metadata-agent_9.1.1-3+deb9u1_all.deb
 79762d0ac85fb4a359360c5415f1ecfc2679be15 13216 
neutron-metering-agent_9.1.1-3+deb9u1_all.deb
 03fdb3c8dfc73fbebb91cec219352990d9808b1c 12248 
neutron-openvswitch-agent_9.1.1-3+deb9u1_all.deb
 f3a57ef019db1c5bc32369ddf4072a850694e35b 8786 
neutron-plugin-linuxbridge-agent_9.1.1-3+deb9u1_all.deb
 33375e4606e0bf7aedaf32e2a2997c6f7d97448c 9122 
neutron-plugin-nec-agent_9.1.1-3+deb9u1_all.deb
 b3f36ada2ee1acd060882082362a8db908ec0dec 8784 
neutron-plugin-openvswitch-agent_9.1.1-3+deb9u1_all.deb
 20b335ea706b336612b230a9f60f44e87df6eed8 32660 
neutron-server_9.1.1-3+deb9u1_all.deb
 7d4e88aed4d7fe03f45b5a26e5851f042d820757 11798 
neutron-sriov-agent_9.1.1-3+deb9u1_all.deb
 56d6ae0a27a1beec430778c66abd0f56b3e6e11c 18144 
neutron_9.1.1-3+deb9u1_amd64.buildinfo
 560074176a67b10c0e7548dfc5be491270fa9e8e 1447182 
python-neutron_9.1.1-3+deb9u1_all.deb
Checksums-Sha256:
 333f6105fa1dd3f3377a03225e09af854908b57737ea58b5ce7865d949da0d30 4926 
neutron_9.1.1-3+deb9u1.dsc
 f711b6a6a4cdca37c45f37ea697c2c5579ddb329002982344cdd603c1d2327c4 2046540 
neutron_9.1.1.orig.tar.xz
 65ee3b59cc1258b95778181717e069fa409539e5ffdc0226d4cd242cb807c89b 44852 
neutron_9.1.1-3+deb9u1.debian.tar.xz
 ef51069859ec60ceba920e37053703bde066b758312c7edc62c90e3cdebf631c 66770 
neutron-common_9.1.1-3+deb9u1_all.deb
 3c5b4e3f65b6ed048459ce9c1c9b1409c12302c0f2d99ca88b233846f39c8a0b 22910 
neutron-dhcp-agent_9.1.1-3+deb9u1_all.deb
 f59c392a157778cf356f2e84417434bc4fc272d0e9900fff45bd47b713eb79c0 15488 
neutron-l3-agent_9.1.1-3+deb9u1_all.deb
 a27581321227f01c98c85f0b2a21d3c9296c179eae5c037459a72b3e88866b9e 15028 
neutron-linuxbridge-agent_9.1.1-3+deb9u1_all.deb
 4505f4391c0661bef8621816a8c385e199bb60e30c0255f0dd1580dbcb5fb946 13994 
neutron-macvtap-agent_9.1.1-3+deb9u1_all.deb
 15f55a0fafdcc24575d4dccadfacaaf17fda2ae7c01b3528d60ba34e28236e34 34760 
neutron-metadata-agent_9.1.1-3+deb9u1_all.deb
 37bc7674a064b843ccf32ef9a2a31fda056a9054869326bfb8457f69cb5a416f 13216 
neutron-metering-agent_9.1.1-3+deb9u1_all.deb
 0454b103e6c957df0f7ba00a570f21deadaafc587def2e3f5c0391f487c9abe9 12248 
neutron-openvswitch-agent_9.1.1-3+deb9u1_all.deb
 48b1021cad2648aed67c74d3317ae1e8c1d3d813d90ef9867c823c8d5306543c 8786 
neutron-plugin-linuxbridge-agent_9.1.1-3+deb9u1_all.deb
 d24f171d60701e78902ed9b3c8248d0587454f1cc50c8ef23b1c315465b62440 9122 
neutron-plugin-nec-agent_9.1.1-3+deb9u1_all.deb
 8a0d21ec919f9d8fe3694095efd750632ddf394d372d11a907e46443ac67a5fc 8784 
neutron-plugin-openvswitch-agent_9.1.1-3+deb9u1_all.deb
 4b86a4e82318e181788701d15b934a75d641a6c5dedcad546124cf64a66d9703 32660 
neutron-server_9.1.1-3+deb9u1_all.deb
 e1846e62dc724c0782401eb9e147232fe79c6b53e54725e01a5c02a3b2427208 11798 
neutron-sriov-agent_9.1.1-3+deb9u1_all.deb
 de9f86fae547aa7c794d7c974aeb387e4a74f5ff757db8f4ffa5d3e70c53b2b5 18144 
neutron_9.1.1-3+deb9u1_amd64.buildinfo
 ee17eaf12329b2e8c1db5a8c917d362ec9e9700855c4ae4dc18c5f8613d79634 1447182 
python-neutron_9.1.1-3+deb9u1_all.deb
Files:
 6ce254bab291005626a540cd98478a37 4926 net optional neutron_9.1.1-3+deb9u1.dsc
 9a737bdcfb801e3968c897116d23f952 2046540 net optional neutron_9.1.1.orig.tar.xz
 df7d8a3bbbc06ff3549f57e23e318ba7 44852 net optional 
neutron_9.1.1-3+deb9u1.debian.tar.xz
 acc9fe3d50a2f9673b7341c8abcdc275 66770 net optional 
neutron-common_9.1.1-3+deb9u1_all.deb
 bc108bd1c1c2a27ff7ddb8dfc917bd93 22910 net optional 
neutron-dhcp-agent_9.1.1-3+deb9u1_all.deb
 2060f95f82f8f101de879e344f480400 15488 net optional 
neutron-l3-agent_9.1.1-3+deb9u1_all.deb
 412d216f3d649c96227874e8359bef04 15028 net optional 
neutron-linuxbridge-agent_9.1.1-3+deb9u1_all.deb
 9b34059e5cb900972238bdecc902b2a0 13994 net optional 
neutron-macvtap-agent_9.1.1-3+deb9u1_all.deb
 2929d7e0cd34a7ef9d032714129ff288 34760 net optional 
neutron-metadata-agent_9.1.1-3+deb9u1_all.deb
 1fe10ad651c8793fd68f999e72f7d6b2 13216 net optional 
neutron-metering-agent_9.1.1-3+deb9u1_all.deb
 1d4f8c2a7154bf99d658b010c2a93c40 12248 net optional 
neutron-openvswitch-agent_9.1.1-3+deb9u1_all.deb
 67a636f87442ee991e44ca7449977e75 8786 oldlibs optional 
neutron-plugin-linuxbridge-agent_9.1.1-3+deb9u1_all.deb
 884da92ee8109e58a5491ee04a6c5858 9122 net optional 
neutron-plugin-nec-agent_9.1.1-3+deb9u1_all.deb
 c32881540170c41047cb568635f966af 8784 oldlibs optional 
neutron-plugin-openvswitch-agent_9.1.1-3+deb9u1_all.deb
 e83f6db4e5179c2cd31ec5f25a3ad787 32660 net optional 
neutron-server_9.1.1-3+deb9u1_all.deb
 f9a21cf320bf27476e7ba5625d092f59 11798 net optional 
neutron-sriov-agent_9.1.1-3+deb9u1_all.deb
 2fa5389d982a8d4253303fdaa25a22e7 18144 net optional 
neutron_9.1.1-3+deb9u1_amd64.buildinfo
 22c9cdc54f749465ca41b0c77be3a152 1447182 python optional 
python-neutron_9.1.1-3+deb9u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlyKJVQACgkQq1PlA1ho
d6YX5Q/5AeODYvK0KCdcxWu74Y5K70XGiDBE53DNqNemBe1748c4x0oY4LmKhf7I
3AkJV3Y2baqZmcEYtL0qEGFoqSQLxgfxf4q90Bjk+L6WMnq7vQtpe76ETRIahzAv
8G2N2CJ3AgWro7JjjsPBS+o1dtIfEOlAaQSk4sfBPO2EaBk7tTYf1uhfflybIwGQ
WJYr/GW20SRnzZ4XzAqKlx6VzIrAMHsimoROdM6QM7h48y//YP3HtUWH5+cSbZI/
zrX8SFdqvpW37oeG9V+uEI6acjysxsmVUksQFBWDwjwWzu85CkAktaWOCmD78FMv
Yz6r0gJH/YRyxud3VjzHu66kRCgJRWsRIKa383noBZ+doGj4M7PZ3l/L7JqaQjtB
TE9dvIq0VdSDE73h76+ueLGhfhuPNFJt4A7jF5MuVYMIyKhxt0t1OWcn7kGPxFI0
LhWoLv+jX+DCBR7sA2EAAZRq2aW+T9ZEvxV8Ou5BgjnTtcZbEbfY3xrOia3K3tXx
O7yM7TqSN1f/NW5tuaHS24SGnhLJY0AEMpfJl/ey6R5UplbOei9Qy0fA1n3LBmjw
VPjtk6InL598oSrBWiS2mFjlKNFFXb9y8VnAVpyMT6QALW+0DiaBf2jOH+DqNW1j
S/W64lFk/HAgrtBn3B4aavrSL2Z/O+a8acQuN6ZrvcFe1YsJHhU=
=ibBq
-----END PGP SIGNATURE-----

--- End Message ---