Bug 772202 (CVE-2012-0030)
Summary: | CVE-2012-0030 openstack-nova: Tenant bypass by authenticated users using OpenStack API | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pádraig Brady <pbrady> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | apevec, asalkeld, markmc, mjc, rbryant, rkukura, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-08-10 00:58:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
Pádraig Brady
2012-01-06 12:33:27 UTC
Created attachment 551231 [details]
proposed upstream patch to fix the flaw
This is the minimal patch that corrects the flaw, but breaks the unit tests.
Created attachment 551232 [details]
proposed upstream patch that also fixes the unit tests
Created attachment 551233 [details]
backported patch from upstream against 2011.3
This is a backported patch provided by Jamie Strandboge, again with unit test breakage.
Created attachment 551235 [details]
preliminary backported patch from upstream against 2011.3 for unit test fixes
As the upstream stable branch maintainer, I'll be backporting the full fix and applying it to the stable branch at disclosure time. I'll make that patch available in advance Mark, that sounds great. So Fedora will just rebase to the latest upstream stable version on disclosure? (In reply to comment #7) > Mark, that sounds great. So Fedora will just rebase to the latest upstream > stable version on disclosure? Yeah, the latest package release is actually based on the latest revision of the stable branch. So, we'll just be pulling in a single new patch. Created attachment 551729 [details]
diablo-cve-2012-0030.patch
Here's a version of the patch which applies against our F-16 tree. This is what will be pushed to the upstream stable/diablo branch
Thanks Mark. I'll apply that tomorrow at 15:00UTC. I also have other unrelated tweaks that need to go in the update. This is now public: https://github.com/openstack/nova/commit/c9c09bd60e7a0e0258d218a31d7878755bea1395 openstack-nova-2011.3-19.el6 has been submitted as an update for EPEL6. http://koji.fedoraproject.org/koji/buildinfo?buildID=282783 openstack-nova-2011.3-19.fc16 has been submitted as an update for Fedora 16: http://koji.fedoraproject.org/koji/buildinfo?buildID=282782 |