Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/382573
** Changed in: glance/liberty
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1449062
I think the impact description is good. I will push through those
backports.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1449062
Title:
qemu-img calls need to be restricted by ulimit (CVE-2015-516
Status update: it looks like all Glance and Nova fixes have merged; so
too have the master and stable/newton changes for Cinder. At this point
we're waiting for https://review.openstack.org/375625 (Cinder's
stable/mitaka fix) to merge, and we don't seem to have a stable/liberty
backport for Cinder.
Reviewed: https://review.openstack.org/377736
Committed:
https://git.openstack.org/cgit/openstack/glance/commit/?id=c90830d71969f68768d898c1c178489f602214e2
Submitter: Jenkins
Branch:stable/mitaka
commit c90830d71969f68768d898c1c178489f602214e2
Author: Hemanth Makkapati
Date: Fri Sep 23 0
** Changed in: glance
Status: Fix Released => Fix Committed
** Changed in: glance/newton
Importance: Undecided => Critical
** Changed in: glance/newton
Assignee: (unassigned) => Hemanth Makkapati (hemanth-makkapati)
** Changed in: glance/newton
Milestone: None => newton-rc2
*
Indeed my bad, oslo-concurrency 2.6.1, 3.7.1 and 3.8.0 are all good and
referenced in the upper-constraint of supported stable branches. Thus I
agree we could omit that note on the advisory.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubun
I had the same question for mitaka, so had to dig a little deeper.
oslo.concurrency 3.7.1 was the follow on release to 3.7.0 to include the
prlimit option. So based on current requirements for stable/mitaka, it
should be safe to backport this fix.
I did not investigate stable/liberty, but I'm assu
Tristan: I'm still a little confused on the oslo.concurrency
recommendation. Are you saying that we should suggest stable/liberty and
stable/mitaka deployments to also use oslo.concurrency>=3.8.0? At the
moment the tips of stable/liberty and stable/mitaka branches for
oslo.concurrency are tagged 2.
Jeremy, the missing bit for oslo-concurrency 3.7.1 is
https://review.openstack.org/#/q/I164c4b35e1357a0f80ed7fe00a7ae8f49df92e31
and it was merged to stable branches. Fortunately it seems like all
version >= 3.8.0 are good enough to support correct resources limit, so
I guess we could just mention
** Tags added: newton-rc-potential
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1449062
Title:
qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
To manage notifications about this bug
Reviewed: https://review.openstack.org/375526
Committed:
https://git.openstack.org/cgit/openstack/glance/commit/?id=69a9b659fd48aa3c1f84fc7bc9ae236b6803d31f
Submitter: Jenkins
Branch:master
commit 69a9b659fd48aa3c1f84fc7bc9ae236b6803d31f
Author: Hemanth Makkapati
Date: Fri Sep 23 09:29:12
Thanks Kashyap.
That bug isn't cross listed with Glance and the current one applies to
Glance in a very generic way. So, Hemanth did the right thing from our
perspective. I will leave the rest of the story to the VMT team.
--
You received this bug notification because you are a member of Ubuntu
Jeremy: Hemanth (in comment#72) seems to have mixed up this bug (which
sets limits for memory / CPU usage for `qemu-img` calls) with *another*
bug[x] that is about disk image format guessing.
So, the Nova patches that fix this bug (1449062) are sufficient for the
problem it is solving (setting a c
Hemanth, Daniel: So that means the current patches to Nova are
insufficient because they missed `qemu-image convert` invocations? For
example at
http://git.openstack.org/cgit/openstack/nova/tree/nova/virt/xenapi/vm_utils.py#n1128
Tristan: Thanks, it looked like oslo.concurrency got backports to
st
Jeremy, the impact description looks good. Though note that prlimit
implementation before oslo.concurrency-3.8.0 doesn't support all the
required resources limit, thus I would mention that
oslo.concurrency>=3.8.0 is required to fix that issue.
--
You received this bug notification because you are
Yes, *any* qemu-img command that you run without providing '-f' will try
to guess the image format. Rather than trying to figure out whether a
particular invokation may or may not be susceptible to attack, the safe
approach is to use '-f' every time.
--
You received this bug notification because
It's just a theory (credits to Brian Rosmaita) at this point, but looks
like "qemu-img convert" will try to infer the format of input image if
"-f" is not provided. So, "qemu-img convert" may be susceptible to the
same attack. Any thoughts?
--
You received this bug notification because you are a
Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/375625
** Changed in: cinder/mitaka
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1449062
Reviewed: https://review.openstack.org/375102
Committed:
https://git.openstack.org/cgit/openstack/cinder/commit/?id=8547444775e406a50d9d26a0003e9ba6554b0d70
Submitter: Jenkins
Branch:stable/newton
commit 8547444775e406a50d9d26a0003e9ba6554b0d70
Author: Sean McGinnis
Date: Thu Sep 22 15:31
** Changed in: glance
Importance: Undecided => High
** Changed in: glance
Status: New => In Progress
** Changed in: glance
Assignee: (unassigned) => Hemanth Makkapati (hemanth-makkapati)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subsc
Reviewed: https://review.openstack.org/375099
Committed:
https://git.openstack.org/cgit/openstack/cinder/commit/?id=78f17f0ad79380ee3d9c50f2670252bcc559b62b
Submitter: Jenkins
Branch:master
commit 78f17f0ad79380ee3d9c50f2670252bcc559b62b
Author: Sean McGinnis
Date: Thu Sep 22 15:31:37 201
Thank you for that info Jeremy, I've targetted it to the appropriate
series in Glance so it's clear.
** Also affects: glance/mitaka
Importance: Undecided
Status: New
** Also affects: glance/liberty
Importance: Undecided
Status: New
** Also affects: glance/newton
Importance
Following discussion with Sean and Hemanth, it looks like we ought to
get fixes for this into supported branches of Cinder and Glance after
all. Hopefully getting them merged goes quickly now that Nova has
already trodden this ground and the fixes are basically identical
between them.
Assuming all
** Also affects: glance
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1449062
Title:
qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
To ma
** Changed in: cinder/newton
Milestone: None => newton-rc2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1449062
Title:
qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
To manage
Fix proposed to branch: master
Review: https://review.openstack.org/375099
** Changed in: cinder
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1449062
Title:
qemu-
** Also affects: cinder
Importance: Undecided
Status: New
** Changed in: cinder
Importance: Undecided => Medium
** Changed in: cinder
Assignee: (unassigned) => Sean McGinnis (sean-mcginnis)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Also affects: cinder/mitaka
Importance: Undecided
Status: New
** Also affects: cinder/newton
Importance: Medium
Assignee: Sean McGinnis (sean-mcginnis)
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ub
I'm resurrecting Grant's proposed impact description from comment #28
and updating for the year of time which has passed since. I've also
edited it to remove references to Cinder and Glance... are those
effectively still impacted in any supported branches? I see that the
tasks API in Glance becomin
** Changed in: ossa
Status: Incomplete => In Progress
** Changed in: ossa
Assignee: (unassigned) => Jeremy Stanley (fungi)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1449062
Title:
q
Reviewed: https://review.openstack.org/327624
Committed:
https://git.openstack.org/cgit/openstack/nova/commit/?id=6bc37dcceca823998068167b49aec6def3112397
Submitter: Jenkins
Branch:stable/liberty
commit 6bc37dcceca823998068167b49aec6def3112397
Author: Daniel P. Berrange
Date: Mon Apr 18 1
Based on the thread at http://lists.openstack.org/pipermail/openstack-
dev/2016-September/104091.html we may need to figure out how to adjust
the messaging to indicate that it was a severe enough bug to fix in
stable/mitaka but that stable/liberty will be left unfixed.
** Changed in: ossa
S
** Also affects: cloud-archive
Importance: Undecided
Status: New
** Changed in: cloud-archive
Status: New => Fix Released
** Changed in: cloud-archive
Importance: Undecided => Medium
** Also affects: cloud-archive/liberty
Importance: Undecided
Status: New
** Also a
Just a note that the Ubuntu Cloud Archive for Liberty includes the fix
with python-oslo.concurrency 2.6.1-0ubuntu1~cloud0. (Wily has gone EOL
since the update from Chris Arges above.)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
htt
** Project changed: cinder => ubuntu-translations
** No longer affects: ubuntu-translations
** Project changed: glance => ubuntu-translations
** Changed in: ubuntu-translations
Milestone: ongoing => None
** No longer affects: ubuntu-translations
--
You received this bug notification becau
Hello Tristan, or anyone else affected,
Accepted python-oslo.concurrency into wily-proposed. The package will
build now and be available at https://launchpad.net/ubuntu/+source
/python-oslo.concurrency/2.6.1-0ubuntu1 in a few hours, and then in the
-proposed repository.
Please help us by testing
Here is a recap of all related patches,
master/newton (oslo.concurrency-3.8.0):
* https://review.openstack.org/243829 oslo.concurrency prlimit (merged in 3.7.1)
* https://review.openstack.org/307813 oslo.concurrency process limit (not
merged in 3.7.1)
* https://review.openstack.org/307663 nova fi
** Also affects: python-oslo.concurrency (Ubuntu Wily)
Importance: Undecided
Status: New
** Changed in: python-oslo.concurrency (Ubuntu Wily)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This bug was fixed in the package python-oslo.concurrency -
3.7.1-0ubuntu1
---
python-oslo.concurrency (3.7.1-0ubuntu1) xenial; urgency=medium
* New upstream point release (LP: #1449062).
-- Corey Bryant Mon, 13 Jun 2016 12:34:15
-0400
--
You received this bug notification bec
This bug was fixed in the package python-oslo.concurrency -
3.7.1-0ubuntu1
---
python-oslo.concurrency (3.7.1-0ubuntu1) xenial; urgency=medium
* New upstream point release (LP: #1449062).
-- Corey Bryant Mon, 13 Jun 2016 12:34:15
-0400
** Changed in: python-oslo.concurrency (Ub
Hi Chris,
python-oslo.concurrency 3.7.1-0ubuntu1 has been tested successfully.
Thanks,
Corey
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpa
Hello Tristan, or anyone else affected,
Accepted python-oslo.concurrency into xenial-proposed. The package will
build now and be available at https://launchpad.net/ubuntu/+source
/python-oslo.concurrency/3.7.1-0ubuntu1 in a few hours, and then in the
-proposed repository.
Please help us by testin
** Also affects: python-oslo.concurrency (Ubuntu)
Importance: Undecided
Status: New
** Also affects: python-oslo.concurrency (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: python-oslo.concurrency (Ubuntu Xenial)
Importance: Undecided
Status: New
43 matches
Mail list logo
