-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2561
  Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update
                              9 October 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Openstack 7.0 director
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Linux variants
                   Solaris
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-5271  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2015:1862

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running Openstack 7.0 director check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update
Advisory ID:       RHSA-2015:1862-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2015:1862
Issue date:        2015-10-08
CVE Names:         CVE-2015-5271 
=====================================================================

1. Summary:

Updated packages that fix one security issue, several bugs, and add various
enhancements are now available for Red Hat Enterprise Linux OpenStack
Platform 7.0 director for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Openstack 7.0 director for RHEL 7 - noarch

3. Description:

Red Hat Enterprise Linux OpenStack Platform director provides the
facilities for deploying and monitoring a private or public
infrastructure-as-a-service (IaaS) cloud based on Red Hat Enterprise Linux
OpenStack Platform.

A flaw was discovered in the pipeline ordering of OpenStack Object
Storage's staticweb middleware in the swiftproxy configuration generated
from the openstack-tripleo-heat-templates package (OpenStack director).
The staticweb middleware was incorrectly configured before the Identity
Service, and under some conditions an attacker could use this flaw to gain
unauthenticated access to private data. (CVE-2015-5271)

This issue was discovered by Christian Schwede and Emilien Macchi of
Red Hat.

This update also fixes numerous bugs and adds various enhancements.
Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux OpenStack Platform 7
Release Notes, linked to in the References section, for information on the
most significant of these changes.

All Red Hat Enterprise Linux OpenStack Platform 7.0 director users are
advised to upgrade to these updated packages, which correct these issues
and add these enhancements.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1223022 - Ceilometer API port not allowed in firewall rules on undercloud
1226376 - Neutron API port not allowed in firewall rules on undercloud
1228862 - Can `openstack undercloud install` have a --force-clean option so an error doesn't require restarting?
1231777 - Its possible to scale up beyond the number of free nodes
1233949 - overcloud horizon apache config doesn't appear to use a network vip
1235320 - Unhelpful failure when incorrect parameters are given
1235325 - "openstack baremetal configure boot" should skip nodes that have maintenance=true
1236136 - All overcloud keystone endpoints get configured with the public IP when using network isolation
1236663 - No output for upload images command
1236707 - undercloud.conf.sample incorrectly states that heat db encryption key can be 8,16, or 32 chars
1237020 - undercloud GUI- Image field is mandatory  when setting VM for deploy overcloud
1240260 - introspection timed out for 2 VM nodes
1241199 - openstack baremetal configure boot is not safe to run a second time
1241668 - 'openstack help overcloud deploy' : doesn't cover comments/explanation for all deployment --arguments
1243015 - Overcloud stack name hard-coded
1243032 - Hard-coded reference to instackenv.json
1243062 - On deployment failure, no reason is returned
1243121 - Neutron port quota fails larger overcloud deployments
1243472 - don't save UpdateIdentifier in tuskar when running package update
1243601 - Overcloud deploys default to qemu instead of kvm
1243829 - overcloud image upload creates duplicate images
1244001 - bulk introspection with active nodes fails
1244026 - [RFE] Overcloud nodes deployed by OSP-Director are using DHCP; can they be statically assigned instead?
1244032 - [RFE] Can OSP-Director deploy an HA overcloud which uses a hardware load balancer?
1244856 - openstack overcloud update stack overcloud requires an undocumented argument
1244864 - VXLAN should be default neutron network type
1245212 - rhel-osp-director: Running "ahc-match" on a setup with enabled SSL yields error: ironicclient.openstack.common.apiclient.exceptions.ConnectionRefused: Error communicating with https://[IP]:13385/ [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL
1245714 - set mem overcommit to 1:1
1246596 - Add support for network validation tests
1247015 - openstack undercloud install doesn't create rabbit user if you set custom passwords in undercloud.conf
1247722 - messages report Introspection for one of the nodes 'has timed out' while the command returns ' Discovery completed.'
1248172 - inspection: clean failed with pxe_ilo
1249640 - Installers need to configure tempest with deployment-specific values and export a partial tempest.conf
1250249 - After deploying, system load charts shown on the overview page are incorrect
1250250 - When deploying from UI we miss to add params based on scale logic
1251566 - Undercloud mariadb max_connection default is too low
1252054 - Default deployment through GUI doesn't create cinder v2 service and endpoint
1252219 - ovs bond on controller is not seeing dhcp packet
1252437 - [Discovery] Gathers wrong information about disks available
1252509 - rhel-osp-director: Fail to "openstack overcloud update stack":  "ERROR: openstack unexpected end of regular expression"
1252553 - rhel-osp-director: UI: Limited selection for public interface under service configuration.
1253465 - [RFE] Allow for customization of the Ceph pools name and client username
1253628 - external ceph patches break tuskar based deploys
1253777 - HA overcloud deployment argument for NTP server should not be optional
1254897 - Not configuring neutron mechanism drivers in any puppet based deploys
1255910 - overcloud node delete of one compute node removed all of them
1255931 - rhel-osp-director: rhel-osp-director: unable to delete a heat stack deployed with "--rhel-reg --reg-method portal --reg-org <rel-org> --reg-activation-key '<key>'", following a failed attempt to update it with "openstack overcloud update stack --templates
1256477 - ironic ipmitool intermittently timing out causing API requests to process slowly
1257414 - [HA] critical resource constraints missing from pacemaker config make things go kaboom
1257642 - yum hanged infinitely on nova-compute cleanup when do an update
1259393 - [RFE] Add support to register and deploy nodes with fake_pxe
1259905 - Integrate yum updates of overcloud with Puppet
1260736 - missing module python-ironic-inspector-client
1260991 - Running the same deploy command twice results with :"Deployment failed:  Not enough nodes - available: 2, requested: 5"
1261045 - Big Switch ML2 networking plugin configuration
1261048 - controllerExtraConfig support
1261067 - Keystone notifications support
1261697 - CVE-2015-5271 openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware
1261921 - updating overcloud stack  packages doesn't stop cluster and will cause it to be down
1262059 - Include the bigswitch networking packages in the image by default
1262454 - os-cloud-config: with fake_pxe pm_type in instackenv.json and thus no pm_addr entry,  "openstack baremetal import --json instackenv.json"  exits with: ERROR: openstack 'pm_addr'
1262995 - osp-d deployment fails on network validation scripts when network-isolation is not enabled.
1265010 - Heat environment is overwritten on overcloud updates
1265777 - No DNS servers set on the overcloud nodes
1266082 - RHEL unregistration doesn't work when scaling down
1266253 - [Director] increase mariadb max_connection default value
1266327 - yum_update.sh fails due to incomplete --excludes list
1266911 - CLI should not force --neutron-tunnel-types if --neutron-disable-tunneling is specified
1267883 - Unable to control the file_descriptors limit for rabbitmq-server via the director.

6. Package List:

Openstack 7.0 director for RHEL 7:

Source:
ahc-tools-0.1.1-6.el7ost.src.rpm
instack-undercloud-2.1.2-29.el7ost.src.rpm
openstack-ironic-discoverd-1.1.0-6.el7ost.src.rpm
openstack-tripleo-common-0.0.1.dev6-3.git49b57eb.el7ost.src.rpm
openstack-tripleo-heat-templates-0.8.6-71.el7ost.src.rpm
openstack-tripleo-image-elements-0.9.6-10.el7ost.src.rpm
openstack-tripleo-puppet-elements-0.0.1-5.el7ost.src.rpm
openstack-tuskar-0.4.18-4.el7ost.src.rpm
openstack-tuskar-ui-0.4.0-3.el7ost.src.rpm
os-cloud-config-0.2.8-7.el7ost.src.rpm
os-net-config-0.1.4-4.el7ost.src.rpm
python-hardware-0.14-7.el7ost.src.rpm
python-proliantutils-2.1.0-4.el7ost.src.rpm
python-rdomanager-oscplugin-0.0.10-8.el7ost.src.rpm

noarch:
ahc-tools-0.1.1-6.el7ost.noarch.rpm
instack-undercloud-2.1.2-29.el7ost.noarch.rpm
openstack-ironic-discoverd-1.1.0-6.el7ost.noarch.rpm
openstack-ironic-discoverd-ramdisk-1.1.0-6.el7ost.noarch.rpm
openstack-tripleo-common-0.0.1.dev6-3.git49b57eb.el7ost.noarch.rpm
openstack-tripleo-heat-templates-0.8.6-71.el7ost.noarch.rpm
openstack-tripleo-image-elements-0.9.6-10.el7ost.noarch.rpm
openstack-tripleo-puppet-elements-0.0.1-5.el7ost.noarch.rpm
openstack-tuskar-0.4.18-4.el7ost.noarch.rpm
openstack-tuskar-ui-0.4.0-3.el7ost.noarch.rpm
os-cloud-config-0.2.8-7.el7ost.noarch.rpm
os-net-config-0.1.4-4.el7ost.noarch.rpm
python-hardware-0.14-7.el7ost.noarch.rpm
python-hardware-doc-0.14-7.el7ost.noarch.rpm
python-ironic-discoverd-1.1.0-6.el7ost.noarch.rpm
python-proliantutils-2.1.0-4.el7ost.noarch.rpm
python-rdomanager-oscplugin-0.0.10-8.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-5271
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/release-notes

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFWFsrHXlSAg2UNWIIRAtL2AKCk53FbRIBVvzO+Et6D8mDqXBAt0gCeOa8f
VQYax8tsROCKDKloTgxlz2k=
=otBI
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVhcSTn6ZAP0PgtI9AQIXrA//Yhh+gUMi6eUv72zcjqqsN2EvWSyRUedO
91DaQYWkO1nSZYQ9KFhbbJtQgiSelOZJdRGIoIGGFJ9g+IBqqL5LmwB0WOwFEhrp
Ai8f+VorWHNdpazF3EvEGu+ugq9K+un2DtMDJikGTB6UqqY8QEPJkPUHslEI3A96
eF032psR1mbBEAY43QMJVd4ThB4IvS64z7NcQy4Wu8scZvGxdsaEMWRBsL12Dg1p
16W1cxxukjl49PBOH5SQT8UpSi398NfW3xeVSKHphnzk8CjoFBokoIkC/BRWWLFZ
ueC5J6d7tFUSsoHZiVQsfm6ZWbPBXK9WW46HOKdOUyqAvesiEtexyq31mp8ScT1X
Pq99K6JMZBKtjuu3X5mhDZIgrt0fNtP9J8E/KQXTz/Axb6IRNTY4O1iQbZsLnJtg
3GQx3LssPiYb7bfR41MlZkUYgwIyNz8HtGt+dZwujRrgnK9Gte7CPUzviezfErG0
yBVyhuk+tMuRUh+Ifoa0mRA3oJvX3CyWoAsOJjiX/6i2wMBIeoSzClEt1ofFVNuq
ocskuDTwtJxrPXee/UcVXP7TgdPjyfRjTqGzeQeMqvxW1dqk0y9ZnuEi+tJx+Lnl
uVQL/RScLSZmK2d5S+lat7tM48471uIZyIPCn6t4PvvdZqFKM+cE1iEWjeEKZVYm
lOjXRvQTtak=
=OYli
-----END PGP SIGNATURE-----