Bug 1000086 (CVE-2013-4278) - CVE-2013-4278 OpenStack: Nova private flavors resource limit circumvention incomplete fix for CVE-2013-2256
Summary: CVE-2013-4278 OpenStack: Nova private flavors resource limit circumvention in...
Status: CLOSED NOTABUG
Alias: CVE-2013-4278
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130820,repor...
Keywords: Security
Depends On: 993343 993412 994715 994809 994810 1000087 1000088 1000089 1000090 1000091
Blocks: 993341
TreeView+ depends on / blocked
 
Reported: 2013-08-22 15:56 UTC by Kurt Seifried
Modified: 2016-04-26 21:00 UTC (History)
30 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-08-23 20:14:04 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2013-08-22 15:56:15 UTC
Vincent Danen (vdanen@redhat.com) reports:

The previous fix was insufficient and did not fully fix the flaw, as noted here:

https://bugs.launchpad.net/ossa/+bug/1212179

The patch to fully correct this flaw is here (I believe it would be in addition to previously-mentioned patches):

https://github.com/openstack/nova/commit/4054cc4a22a1fea997dec76afb5646fd6c6ea6b9

Comment 2 Kurt Seifried 2013-08-22 16:01:06 UTC
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1000087]
Affects: epel-6 [bug 1000088]

Comment 3 Vincent Danen 2013-08-23 20:14:04 UTC
Statement:

Not vulnerable.  Red Hat did not release the incomplete fix for CVE-2013-2256 in any products.


Note You need to log in before you can comment on or make changes to this bug.