Bug 1000086 (CVE-2013-4278) - CVE-2013-4278 OpenStack: Nova private flavors resource limit circumvention incomplete fix for CVE-2013-2256
Summary: CVE-2013-4278 OpenStack: Nova private flavors resource limit circumvention in...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-4278
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 993343 993412 994715 994809 994810 1000087 1000088 1000089 1000090 1000091
Blocks: 993341
TreeView+ depends on / blocked
 
Reported: 2013-08-22 15:56 UTC by Kurt Seifried
Modified: 2021-10-01 19:36 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-23 20:14:04 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2013-08-22 15:56:15 UTC 
Vincent Danen (vdanen) reports:

The previous fix was insufficient and did not fully fix the flaw, as noted here:

https://bugs.launchpad.net/ossa/+bug/1212179

The patch to fully correct this flaw is here (I believe it would be in addition to previously-mentioned patches):

https://github.com/openstack/nova/commit/4054cc4a22a1fea997dec76afb5646fd6c6ea6b9
Comment 2 Kurt Seifried 2013-08-22 16:01:06 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1000087]
Affects: epel-6 [bug 1000088]
Comment 3 Vincent Danen 2013-08-23 20:14:04 UTC 
Statement:

Not vulnerable.  Red Hat did not release the incomplete fix for CVE-2013-2256 in any products.
Note You need to log in before you can comment on or make changes to this bug.