Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2561 Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update 9 October 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Openstack 7.0 director Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Linux variants Solaris Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-5271 Original Bulletin: https://access.redhat.com/errata/RHSA-2015:1862 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running Openstack 7.0 director check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update Advisory ID: RHSA-2015:1862-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2015:1862 Issue date: 2015-10-08 CVE Names: CVE-2015-5271 ===================================================================== 1. Summary: Updated packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 7.0 director for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Openstack 7.0 director for RHEL 7 - noarch 3. Description: Red Hat Enterprise Linux OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud based on Red Hat Enterprise Linux OpenStack Platform. A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package (OpenStack director). The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data. (CVE-2015-5271) This issue was discovered by Christian Schwede and Emilien Macchi of Red Hat. This update also fixes numerous bugs and adds various enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux OpenStack Platform 7 Release Notes, linked to in the References section, for information on the most significant of these changes. All Red Hat Enterprise Linux OpenStack Platform 7.0 director users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1223022 - Ceilometer API port not allowed in firewall rules on undercloud 1226376 - Neutron API port not allowed in firewall rules on undercloud 1228862 - Can `openstack undercloud install` have a --force-clean option so an error doesn't require restarting? 1231777 - Its possible to scale up beyond the number of free nodes 1233949 - overcloud horizon apache config doesn't appear to use a network vip 1235320 - Unhelpful failure when incorrect parameters are given 1235325 - "openstack baremetal configure boot" should skip nodes that have maintenance=true 1236136 - All overcloud keystone endpoints get configured with the public IP when using network isolation 1236663 - No output for upload images command 1236707 - undercloud.conf.sample incorrectly states that heat db encryption key can be 8,16, or 32 chars 1237020 - undercloud GUI- Image field is mandatory when setting VM for deploy overcloud 1240260 - introspection timed out for 2 VM nodes 1241199 - openstack baremetal configure boot is not safe to run a second time 1241668 - 'openstack help overcloud deploy' : doesn't cover comments/explanation for all deployment --arguments 1243015 - Overcloud stack name hard-coded 1243032 - Hard-coded reference to instackenv.json 1243062 - On deployment failure, no reason is returned 1243121 - Neutron port quota fails larger overcloud deployments 1243472 - don't save UpdateIdentifier in tuskar when running package update 1243601 - Overcloud deploys default to qemu instead of kvm 1243829 - overcloud image upload creates duplicate images 1244001 - bulk introspection with active nodes fails 1244026 - [RFE] Overcloud nodes deployed by OSP-Director are using DHCP; can they be statically assigned instead? 1244032 - [RFE] Can OSP-Director deploy an HA overcloud which uses a hardware load balancer? 1244856 - openstack overcloud update stack overcloud requires an undocumented argument 1244864 - VXLAN should be default neutron network type 1245212 - rhel-osp-director: Running "ahc-match" on a setup with enabled SSL yields error: ironicclient.openstack.common.apiclient.exceptions.ConnectionRefused: Error communicating with https://[IP]:13385/ [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL 1245714 - set mem overcommit to 1:1 1246596 - Add support for network validation tests 1247015 - openstack undercloud install doesn't create rabbit user if you set custom passwords in undercloud.conf 1247722 - messages report Introspection for one of the nodes 'has timed out' while the command returns ' Discovery completed.' 1248172 - inspection: clean failed with pxe_ilo 1249640 - Installers need to configure tempest with deployment-specific values and export a partial tempest.conf 1250249 - After deploying, system load charts shown on the overview page are incorrect 1250250 - When deploying from UI we miss to add params based on scale logic 1251566 - Undercloud mariadb max_connection default is too low 1252054 - Default deployment through GUI doesn't create cinder v2 service and endpoint 1252219 - ovs bond on controller is not seeing dhcp packet 1252437 - [Discovery] Gathers wrong information about disks available 1252509 - rhel-osp-director: Fail to "openstack overcloud update stack": "ERROR: openstack unexpected end of regular expression" 1252553 - rhel-osp-director: UI: Limited selection for public interface under service configuration. 1253465 - [RFE] Allow for customization of the Ceph pools name and client username 1253628 - external ceph patches break tuskar based deploys 1253777 - HA overcloud deployment argument for NTP server should not be optional 1254897 - Not configuring neutron mechanism drivers in any puppet based deploys 1255910 - overcloud node delete of one compute node removed all of them 1255931 - rhel-osp-director: rhel-osp-director: unable to delete a heat stack deployed with "--rhel-reg --reg-method portal --reg-org <rel-org> --reg-activation-key '<key>'", following a failed attempt to update it with "openstack overcloud update stack --templates 1256477 - ironic ipmitool intermittently timing out causing API requests to process slowly 1257414 - [HA] critical resource constraints missing from pacemaker config make things go kaboom 1257642 - yum hanged infinitely on nova-compute cleanup when do an update 1259393 - [RFE] Add support to register and deploy nodes with fake_pxe 1259905 - Integrate yum updates of overcloud with Puppet 1260736 - missing module python-ironic-inspector-client 1260991 - Running the same deploy command twice results with :"Deployment failed: Not enough nodes - available: 2, requested: 5" 1261045 - Big Switch ML2 networking plugin configuration 1261048 - controllerExtraConfig support 1261067 - Keystone notifications support 1261697 - CVE-2015-5271 openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware 1261921 - updating overcloud stack packages doesn't stop cluster and will cause it to be down 1262059 - Include the bigswitch networking packages in the image by default 1262454 - os-cloud-config: with fake_pxe pm_type in instackenv.json and thus no pm_addr entry, "openstack baremetal import --json instackenv.json" exits with: ERROR: openstack 'pm_addr' 1262995 - osp-d deployment fails on network validation scripts when network-isolation is not enabled. 1265010 - Heat environment is overwritten on overcloud updates 1265777 - No DNS servers set on the overcloud nodes 1266082 - RHEL unregistration doesn't work when scaling down 1266253 - [Director] increase mariadb max_connection default value 1266327 - yum_update.sh fails due to incomplete --excludes list 1266911 - CLI should not force --neutron-tunnel-types if --neutron-disable-tunneling is specified 1267883 - Unable to control the file_descriptors limit for rabbitmq-server via the director. 6. Package List: Openstack 7.0 director for RHEL 7: Source: ahc-tools-0.1.1-6.el7ost.src.rpm instack-undercloud-2.1.2-29.el7ost.src.rpm openstack-ironic-discoverd-1.1.0-6.el7ost.src.rpm openstack-tripleo-common-0.0.1.dev6-3.git49b57eb.el7ost.src.rpm openstack-tripleo-heat-templates-0.8.6-71.el7ost.src.rpm openstack-tripleo-image-elements-0.9.6-10.el7ost.src.rpm openstack-tripleo-puppet-elements-0.0.1-5.el7ost.src.rpm openstack-tuskar-0.4.18-4.el7ost.src.rpm openstack-tuskar-ui-0.4.0-3.el7ost.src.rpm os-cloud-config-0.2.8-7.el7ost.src.rpm os-net-config-0.1.4-4.el7ost.src.rpm python-hardware-0.14-7.el7ost.src.rpm python-proliantutils-2.1.0-4.el7ost.src.rpm python-rdomanager-oscplugin-0.0.10-8.el7ost.src.rpm noarch: ahc-tools-0.1.1-6.el7ost.noarch.rpm instack-undercloud-2.1.2-29.el7ost.noarch.rpm openstack-ironic-discoverd-1.1.0-6.el7ost.noarch.rpm openstack-ironic-discoverd-ramdisk-1.1.0-6.el7ost.noarch.rpm openstack-tripleo-common-0.0.1.dev6-3.git49b57eb.el7ost.noarch.rpm openstack-tripleo-heat-templates-0.8.6-71.el7ost.noarch.rpm openstack-tripleo-image-elements-0.9.6-10.el7ost.noarch.rpm openstack-tripleo-puppet-elements-0.0.1-5.el7ost.noarch.rpm openstack-tuskar-0.4.18-4.el7ost.noarch.rpm openstack-tuskar-ui-0.4.0-3.el7ost.noarch.rpm os-cloud-config-0.2.8-7.el7ost.noarch.rpm os-net-config-0.1.4-4.el7ost.noarch.rpm python-hardware-0.14-7.el7ost.noarch.rpm python-hardware-doc-0.14-7.el7ost.noarch.rpm python-ironic-discoverd-1.1.0-6.el7ost.noarch.rpm python-proliantutils-2.1.0-4.el7ost.noarch.rpm python-rdomanager-oscplugin-0.0.10-8.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5271 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/release-notes 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWFsrHXlSAg2UNWIIRAtL2AKCk53FbRIBVvzO+Et6D8mDqXBAt0gCeOa8f VQYax8tsROCKDKloTgxlz2k= =otBI - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVhcSTn6ZAP0PgtI9AQIXrA//Yhh+gUMi6eUv72zcjqqsN2EvWSyRUedO 91DaQYWkO1nSZYQ9KFhbbJtQgiSelOZJdRGIoIGGFJ9g+IBqqL5LmwB0WOwFEhrp Ai8f+VorWHNdpazF3EvEGu+ugq9K+un2DtMDJikGTB6UqqY8QEPJkPUHslEI3A96 eF032psR1mbBEAY43QMJVd4ThB4IvS64z7NcQy4Wu8scZvGxdsaEMWRBsL12Dg1p 16W1cxxukjl49PBOH5SQT8UpSi398NfW3xeVSKHphnzk8CjoFBokoIkC/BRWWLFZ ueC5J6d7tFUSsoHZiVQsfm6ZWbPBXK9WW46HOKdOUyqAvesiEtexyq31mp8ScT1X Pq99K6JMZBKtjuu3X5mhDZIgrt0fNtP9J8E/KQXTz/Axb6IRNTY4O1iQbZsLnJtg 3GQx3LssPiYb7bfR41MlZkUYgwIyNz8HtGt+dZwujRrgnK9Gte7CPUzviezfErG0 yBVyhuk+tMuRUh+Ifoa0mRA3oJvX3CyWoAsOJjiX/6i2wMBIeoSzClEt1ofFVNuq ocskuDTwtJxrPXee/UcVXP7TgdPjyfRjTqGzeQeMqvxW1dqk0y9ZnuEi+tJx+Lnl uVQL/RScLSZmK2d5S+lat7tM48471uIZyIPCn6t4PvvdZqFKM+cE1iEWjeEKZVYm lOjXRvQTtak= =OYli -----END PGP SIGNATURE-----