Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2768 Moderate: openstack-neutron security and bug fix updates 18 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openstack-neutron Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-14635 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2710 https://access.redhat.com/errata/RHSA-2018:2715 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-neutron security update Advisory ID: RHSA-2018:2710-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:2710 Issue date: 2018-09-17 CVE Names: CVE-2018-14635 ===================================================================== 1. Summary: An update for openstack-neutron is now available for Red Hat OpenStack Platform 13.0 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 13.0 - noarch 3. Description: OpenStack Networking (neutron) is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. Security Fix(es): * openstack-neutron: A router interface out of subnet IP range results in a denial of service (CVE-2018-14635) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1607822 - CVE-2018-14635 openstack-neutron: A router interface out of subnet IP range results in a denial of service 6. Package List: Red Hat OpenStack Platform 13.0: Source: openstack-neutron-12.0.3-5.el7ost.src.rpm noarch: openstack-neutron-12.0.3-5.el7ost.noarch.rpm openstack-neutron-common-12.0.3-5.el7ost.noarch.rpm openstack-neutron-linuxbridge-12.0.3-5.el7ost.noarch.rpm openstack-neutron-macvtap-agent-12.0.3-5.el7ost.noarch.rpm openstack-neutron-metering-agent-12.0.3-5.el7ost.noarch.rpm openstack-neutron-ml2-12.0.3-5.el7ost.noarch.rpm openstack-neutron-openvswitch-12.0.3-5.el7ost.noarch.rpm openstack-neutron-rpc-server-12.0.3-5.el7ost.noarch.rpm openstack-neutron-sriov-nic-agent-12.0.3-5.el7ost.noarch.rpm python-neutron-12.0.3-5.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-14635 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW5/amdzjgjWX9erEAQj1aw//Zh8VwR3TkdcrggFUxxwEmuNHoy5ikO4o 86IX/PpwISxv9Vl6NEU/QQphofeA1AAMEz23meG+F8SA9J4ViqEa9fsfeNCFTchP UphcgjKb4zRhoiL27WJKjsYelCaW0SIVkz18l0YKyNxECeywiyOeF9SqZuDhgpqv zlZAsiF+/57cf5dGVcyp9VDM37mnv0dd8DgYMgJDAci5QhbZX0mZ6M4MUKlUAD8Z Zxy0kAEPb8ZAs7GyCieo3kV/bUIWS75chTa4dWczJsPKJBXVVrYpWyxFMmAPJM3/ QrUwF99t5DgI2ViXtAhZfP59TVLpGNqBLAH6aUu5UN5jOb/U/L96ehkadErIR/ow FhRtb1o12gZxq8kIl/yKy7i9MvWkESi/Q6lGHmCGzdmNYv2xm0Ytp6DqUoAVSAE/ +9I30o231ebL3e2fvgrxK35ZqFl4k3dOdxl9/xZO3GCnU0yunL2A6iuKtteXU+4D Dh8FFop/OQNb6SbYGPV3OlURWwvLLZAksYkNZYtlbIgDqawReQnIN2p1RplJOqBY OotDSPsH4R8rhrfyRlPkZsiH04nCw2yjekn9S3HiqTQNySVThMz4yD9EwSjrAH8e hbq0PTg++Qh3AgvzPI+Zv2Gzwk6Thj9LHDZkxY9LW68JBFhJANvIKOeheaJTLEmp iRGI0wprJ50= =1B82 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-neutron security and bug fix update Advisory ID: RHSA-2018:2715-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:2715 Issue date: 2018-09-17 CVE Names: CVE-2018-14635 ===================================================================== 1. Summary: An update for openstack-neutron is now available for Red Hat OpenStack Platform 10.0 (Newton). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 10.0 - noarch 3. Description: OpenStack Networking (neutron) is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. Security Fix(es): * openstack-neutron: A router interface out of subnet IP range results in a denial of service (CVE-2018-14635) For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References section. Bug Fix(es): * A new configuration option bridge_mac_table_size has been added for the neutron OVS agent. This value is set on every Open vSwitch bridge managed by the openvswitch-neutron-agent. The value controls the maximum number of MAC addresses that can be learned on a bridge. The default value for this new option is 50,000, which should be enough for most systems. Values outside a reasonable range (10 to 1,000,000) might be overridden by Open vSwitch. (BZ#1589031) * Previously, when a VM was destroyed, the IPv6 lease was not removed from dnsmasq lease files due to a missing dhcp_release6 binary. With this update, the dhcp_release6 binary is now provided in an updated dnsmasq-utils package version. (BZ#1545006) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1404709 - Neutron L3 Agent: AZLeastRoutersScheduler scheduler bug 1511394 - FlushError on IPAllocations when multiple subnets in the same network deleted 1532280 - ovs-vswitchd service hangs with Error too many open files 1545006 - openstack-neutron DHCP agent requires dnsmasq-utils 2.76 1561907 - test_sriov is failing on OSP10 1570908 - Cannot set --no-share on shared network that has floating_ip, gateway AND a tenant port 1575356 - [CI] Issue with addCleanup method causing scenario tests to fail 1576256 - neutron-openvswitch-agent cleans up stale flows months after they were created but it does not recreated correct flows and bridge configuration 1578414 - Sometimes dhcp_release packet isn't reaching dnsmasq process because it's being reloaded 1579400 - Neutron agents attach untagged ports to br-int, which will be trunk port if neutron-openvswitch-agent never handles them 1584845 - Packet loss during standby L3 agent restart 1589031 - The mac table size of neutron bridges (br-tun, br-int, br-*) is too small by default and eventually makes openvswitch explode 1607822 - CVE-2018-14635 openstack-neutron: A router interface out of subnet IP range results in a denial of service 6. Package List: Red Hat OpenStack Platform 10.0: Source: openstack-neutron-9.4.1-28.el7ost.src.rpm noarch: openstack-neutron-9.4.1-28.el7ost.noarch.rpm openstack-neutron-common-9.4.1-28.el7ost.noarch.rpm openstack-neutron-linuxbridge-9.4.1-28.el7ost.noarch.rpm openstack-neutron-macvtap-agent-9.4.1-28.el7ost.noarch.rpm openstack-neutron-metering-agent-9.4.1-28.el7ost.noarch.rpm openstack-neutron-ml2-9.4.1-28.el7ost.noarch.rpm openstack-neutron-openvswitch-9.4.1-28.el7ost.noarch.rpm openstack-neutron-rpc-server-9.4.1-28.el7ost.noarch.rpm openstack-neutron-sriov-nic-agent-9.4.1-28.el7ost.noarch.rpm python-neutron-9.4.1-28.el7ost.noarch.rpm python-neutron-tests-9.4.1-28.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-14635 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW5/b9NzjgjWX9erEAQhAwA/+MyO8MCtJxd8m+n1MjfAIlpkU6MKJOd9b IL9Q4uRqJch2uE2o0PS5BbjPZ1zRD8757gCobjSs8j99xyLo9lcLeszvBIzXGxY9 znHh5vo4JAfRNwciqBb+pe2SfuE70cP7tKvLw8uL9udcUjX8uCT0g9jpF2Xjae23 ZZr6A7q4a78kwJZXMmOrpjNIAob2AaqdB1Ja0Bhh07VsSg3Yme4mZPhd2gbCbpBN 5/ObuGej8POk+UUIrryRnkqVyL1KKmUpSDK78Z9wwdth1KA0GpJ5MyLPw0q6695K mSqyaKHrqUG46awWDM420g6WxcN4vH27ssEgcCdYKk0Nn1MMgAnCiXwXYLUsvf/n cEtNYoShyAxedp0qfOkIk8u41Gx5vnQAUKlgmpoJuNUJEp5gutl468rrvPgrbGW/ kpUO6X0+ksTOT5VgSLF/HXeezPztiQkjp4WT9oTOv59In/ag+9abvmmWSlzRhvlG /hQeXWG5Lq0NDgCAJ5ISeeNV7sm238kXcknbHiXr3HRQz4LKNukHSGG+r0ICQwFF Ud/zcnHR8g46cvzaFe1SK+O+OD9Rd/Idzk22nGFH/C/crpMfHF1LnYvG0tebE4Xa ZMs2E5FF02w+Z/rTeEPkKQAdKi8rvn8KOHGABMrsR9E1qXWViOh8SDQ8npIcWlCM b3/UV83nYYY= =SViz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW6BnCWaOgq3Tt24GAQgCKxAA3HhhqXH718cnyCguUfkPjuLSvnqdPrzU wSv0dv9v4fwDN3qjzf8Hw9e817Ku0BvIrZmcPnRWpn/T9mn7CTLMorHVphOQHvCx KQdWcXcELDTaRM9NE+eoL4sZ78O2hhn8UxNeh19vtb7Sf7IkQDing3PvmH7peN03 r7lexkRI3kQz6Ueark3YbhldRvtE/cvci7youpUcIGH5MV8x6LGSKl5l2hByvifA pFwjNdojDog3G3rQcoHxjhIPc7vm19NigOu4msVhicalHUfE2uRWt1Ei9LGDrUMX /h1grsxoUaTL9C7FwJ3kRUHMUpLdseU6NcEBDpt0Ot9Ke46P/DXSiJvmDO8d1rnA EJDwvrY4ZhF6UUZYC1/P06RGg3uPV5z3pGk+v/nR3yKYxd8IZ961huvQRlByDMfK 5q7kiXsVjo/MPZ49UcMUCyYelMSR5+sidlQXwIvXqKpeGbRJtFZ9Vq6M7Jns8Rzy AYNgwjYpGmbdMVv6yNotokF8Krro8ImuvN/pzxj6Ot4Zj2py7TUW8B7I90AuunRT //3pk8uZ7AjwxE6izXtxvWLtimTtjBTB/tDvb9Rchl5GkRsApl7qP3YVh2r0Yrz3 1hAc5GeZCXMndRe2IPJxu2SLryzjWdNUeZkk5A2CL/ZMB3GSNZpCihBLGYu2BR3o sABOZhG7exY= =EpJ2 -----END PGP SIGNATURE-----