Red Hat: 2014:0091-01: openstack-neutron: Moderate Advisory

    Date22 Jan 2014
    1495
    Posted ByJoe Shakespeare
    Updated openstack-neutron packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. [More...]
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: openstack-neutron security, bug fix, and enhancement update
    Advisory ID:       RHSA-2014:0091-01
    Product:           Red Hat OpenStack
    Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0091.html
    Issue date:        2014-01-22
    CVE Names:         CVE-2013-6419 
    =====================================================================
    
    1. Summary:
    
    Updated openstack-neutron packages that fix one security issue, several
    bugs, and add various enhancements are now available for Red Hat Enterprise
    Linux OpenStack Platform 4.0.
    
    The Red Hat Security Response Team has rated this update as having moderate
    security impact. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available from the CVE link in
    the References section.
    
    2. Relevant releases/architectures:
    
    OpenStack 4 - noarch
    
    3. Description:
    
    The openstack-neutron packages provide Openstack Networking (neutron), the
    virtual network service.
    
    It was discovered that the metadata agent in OpenStack Networking was
    missing an authorization check on the device ID that is bound to a specific
    port. A remote tenant could guess the instance ID bound to a port and
    retrieve metadata of another tenant, resulting in information disclosure.
    Note that only OpenStack Networking setups running neutron-metadata-agent
    were affected. (CVE-2013-6419)
    
    Red Hat would like to thank Jeremy Stanley of the OpenStack Project for
    reporting this issue. Upstream acknowledges Aaron Rosen of VMware as the
    original reporter.
    
    The openstack-neutron packages have been upgraded to upstream version
    2013.2.1, which provides a number of bug fixes and enhancements over the
    previous version. The most notable fixes and enhancements are:
    
    * Support for multiple workers in the Neutron API. This can be achieved by
      setting the 'workers=' parameter in the neutron.conf file.
    
    * The downtime and report interval default settings are tuned for
      neutron agents.
    
    * The floating IP address stability has been enhanced.
    
    * A heartbeat-related deadlock problem in neutron-server has been fixed.
    
    (BZ#1045419)
    
    This update also fixes the following bugs:
    
    * An incorrect warning was displayed when running neutron-dhcp-agent with
    Red Hat Enterprise Linux's version of dnsmasq. This meant that users were
    incorrectly warned that Red Hat Enterprise Linux's dnsmasq version will not
    work with neutron-dhcp-agent. This warning has been removed, and will no
    longer be logged to the neutron-dhcp-agent log file. (BZ#1040196)
    
    * A bug in the QPID topic consumer re-connection logic (under the v2
    topology) caused qpidd to use a malformed subscriber address after
    restarting, resulting in RPC requests sent to a topic with multiple servers
    ending up being incorrectly multicast to all servers. This update removes
    the special-case reconnect logic that handles UUID addresses, which in turn
    avoids the incorrect establishment of multiple subscription to the same
    fanout address. The QPID broker now simply automatically generates unique
    queue names when clients reconnect. (BZ#1045067)
    
    * Thread-consuming QPID messages were killed silently by unhandled errors,
    thus resulting in isolating the component from the rest of the system.
    With this update, consuming threads are made more resilient to errors by
    ensuring they do not die on an unhandled error. The error is now logged,
    and the consuming thread is retried. (BZ#1054249)
    
    In addition, this update adds the following enhancement:
    
    * Previously, instances connected to tenant networks gained outside
    connectivity by going through an SNAT by the L3 agent hosting that
    network's virtual router. With this release, the ability to disable
    SNAT/PAT on virtual servers is added ensuring that an instance in a tenant
    network subnet will retain its IP address as it passes through external
    networks. For example, if 10.0.0.1 is an instance in the 10.0.0.0/8 tenant
    network, R1, a virtual router that connects the 10.0.0.0/8 subnet to the
    20.0.0.0/8 public provider networks, then you can use the 'neutron
    router-gateway-set --disable-snat R1 public' command and any traffic from
    10.0.0.1, which is forwarded out to the provider network, will retain its
    actual source IP address of 10.0.0.1. This can be a flexible and useful
    method to connect instances directly to a provider network, while retaining
    it in a tenant network. (BZ#1046070)
    
    All openstack-neutron users are advised to upgrade to these updated
    packages, which correct these issues and add these enhancements.
    
    4. Solution:
    
    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.
    
    This update is available via the Red Hat Network. Details on how to
    use the Red Hat Network to apply this update are available at
    https://access.redhat.com/site/articles/11258
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1038737 - neutron is creating duplicated NAT rules, resulting in instances without network connection
    1039148 - CVE-2013-6419 OpenStack Neutron and Nova: Metadata queries from Neutron to Nova are not restricted by tenant
    1039528 - Neutron rootwrap does not follow packaging guidelines
    1040196 - Remove dnsmasq version warning for dhcp-agent on RHEL
    1045067 - [oslo] With QPID, RPC calls to a topic are always fanned-out to all subscribers.
    1046070 - Configurable External Gateway Modes
    1046087 - The error message that indicates manual DB stamping is needed is not clear enough
    1054249 - Thread consuming qpid messages can die silently
    
    6. Package List:
    
    OpenStack 4:
    
    Source:
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-neutron-2013.2.1-4.el6ost.src.rpm
    
    noarch:
    openstack-neutron-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-bigswitch-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-brocade-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-cisco-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-hyperv-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-linuxbridge-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-mellanox-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-metaplugin-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-metering-agent-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-midonet-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-ml2-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-nec-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-nicira-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-openvswitch-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-plumgrid-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-ryu-2013.2.1-4.el6ost.noarch.rpm
    openstack-neutron-vpn-agent-2013.2.1-4.el6ost.noarch.rpm
    python-neutron-2013.2.1-4.el6ost.noarch.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/#package
    
    7. References:
    
    https://www.redhat.com/security/data/cve/CVE-2013-6419.html
    https://access.redhat.com/security/updates/classification/#moderate
    
    8. Contact:
    
    The Red Hat security contact is .  More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2014 Red Hat, Inc.
    

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"48","type":"x","order":"1","pct":88.89,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"4","type":"x","order":"2","pct":7.41,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"2","type":"x","order":"3","pct":3.7,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.