Bug 1349515
| Summary: | Update oslo.concurrency to 2.6.1 | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Kashyap Chamarthy <kchamart> |
| Component: | python-oslo-concurrency | Assignee: | Victor Stinner <vstinner> |
| Status: | CLOSED ERRATA | QA Contact: | Asaf Hirshberg <ahirshbe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 (Liberty) | CC: | apevec, dmacpher, kchamart, lhh, mburns, ushkalim, vstinner |
| Target Milestone: | --- | Keywords: | Rebase, ZStream |
| Target Release: | 8.0 (Liberty) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-oslo-concurrency-2.6.1-1.el7ost | Doc Type: | Enhancement |
| Doc Text: |
qemu-img calls were unrestricted by ulimit. This caused a security vulnerability (CVE-2015-5162) in Nova. The new minor version of oslo.concurrency adds support for process limits ('prlimit'), which patches the security vulnerability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-14 19:57:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kashyap Chamarthy
2016-06-23 15:03:54 UTC
The upstream change is stuck: https://review.openstack.org/#/c/327624/ * It was decided to require the newer oslo.concurrency release * Upgrading oslo.concurrency in global requirements was rejected: https://review.openstack.org/#/c/337277/ (-2 vote) In RHOS, we have more freedom to upgrade component, but what is the status of the nova backport downstream? I don't see much activity on this issue :-/ Is this issue (update oslo.concurrency in RHOS 8) still needed? (In reply to Victor Stinner from comment #2) > The upstream change is stuck: https://review.openstack.org/#/c/327624/ > > * It was decided to require the newer oslo.concurrency release > * Upgrading oslo.concurrency in global requirements was rejected: > https://review.openstack.org/#/c/337277/ (-2 vote) The above is now abandoned (in favor of the Nova backport) after some discussion upstream: http://lists.openstack.org/pipermail/openstack-dev/2016-September/104345.html We went with the solution to backport the CVE fix, to stable/liberty branch of Nova, that also adds a check for the presence of 'ProcessLimits' attribute (which is only present in oslo.concurrency>=2.6.1; and a conditional check for 'prlimit' parameter in qemu_img_info() method: http://git.openstack.org/cgit/openstack/nova/commit/?h=stable/liberty&id=6bc37dc > In RHOS, we have more freedom to upgrade component, but what is the status > of the nova backport downstream? I don't see much activity on this issue :-/ > Is this issue (update oslo.concurrency in RHOS 8) still needed? Given my above comment, this (update oslo.concurrency in RHOS 8) is not needed any more given that the issue is fixed in Nova itself, for stable/liberty Thanks for checking, Victor. (In reply to Kashyap Chamarthy from comment #3) > (In reply to Victor Stinner from comment #2) > > The upstream change is stuck: https://review.openstack.org/#/c/327624/ > > > > * It was decided to require the newer oslo.concurrency release > > * Upgrading oslo.concurrency in global requirements was rejected: > > https://review.openstack.org/#/c/337277/ (-2 vote) > > The above is now abandoned (in favor of the Nova backport) after some > discussion upstream: > > http://lists.openstack.org/pipermail/openstack-dev/2016-September/104345.html > > We went with the solution to backport the CVE fix, to stable/liberty branch > of Nova, that also adds a check for the presence of 'ProcessLimits' > attribute (which is only present in oslo.concurrency>=2.6.1; and a > conditional check for 'prlimit' parameter in qemu_img_info() method: > > http://git.openstack.org/cgit/openstack/nova/commit/?h=stable/ > liberty&id=6bc37dc > > > In RHOS, we have more freedom to upgrade component, but what is the status > > of the nova backport downstream? I don't see much activity on this issue :-/ > > Is this issue (update oslo.concurrency in RHOS 8) still needed? > > Given my above comment, this (update oslo.concurrency in RHOS 8) is not > needed any more given that the issue is fixed in Nova itself, for > stable/liberty Wait, I'm wrong. Spoke too soon. The above Got commit I pointed out works if oslo.concurrency 2.6.1 is present, if not, it will log an error: LOG.error(_LE('Please upgrade to oslo.concurrency version ' '2.6.1 -- this version has fixes for the ' 'vulnerability CVE-2015-5162.')) So, we still need oslo.concurrency to 2.6.1 for the Nova fix to take effect. I rebased the python-oslo-concurrency package on 2.6.1: you get the package python-oslo-concurrency-2.6.1-1.el7ost. Verified SanityOnly. build passed E2E/HA automation run. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2712.html |