Your message dated Wed, 01 Sep 2021 15:49:18 +0000 with message-id <e1mlsui-000bfz...@fasolo.debian.org> and subject line Bug#993398: fixed in neutron 2:18.1.0-3 has caused the Debian Bug report #993398, regarding neutron: CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 993398: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993398 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: neutron Version: 2:18.1.0-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://launchpad.net/bugs/1939733 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2:17.1.1-6 Hi, The following vulnerability was published for neutron. CVE-2021-40085[0]: | An issue was discovered in OpenStack Neutron before 16.4.1, 17.x | before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can | reconfigure dnsmasq via a crafted extra_dhcp_opts value. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-40085 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085 [1] https://launchpad.net/bugs/1939733 [2] https://www.openwall.com/lists/oss-security/2021/08/31/2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: neutron Source-Version: 2:18.1.0-3 Done: Thomas Goirand <z...@debian.org> We believe that the bug you reported is fixed in the latest version of neutron, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 993...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated neutron package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 01 Sep 2021 17:00:21 +0200 Source: neutron Architecture: source Version: 2:18.1.0-3 Distribution: unstable Urgency: medium Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 993398 Changes: neutron (2:18.1.0-3) unstable; urgency=medium . * CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an authenticated user may add arbitrary configuration to the dnsmasq process in order to crash the service, change parameters for other tenants sharing the same interface, or otherwise alter that daemon's behavior. This vulnerability may also be used to trigger a configuration parsing buffer overflow in versions of dnsmasq prior to 2.81, which could lead to remote code execution. All Neutron deployments are affected. Added upstream patch: Remove dhcp_extra_opt value after first newline character. (Closes: #993398) Checksums-Sha1: b19878edadc3a48daf31df74495514294bba2439 4762 neutron_18.1.0-3.dsc 3e61dc3b9342149ff79f6cdeea7e63b7dfe10700 39996 neutron_18.1.0-3.debian.tar.xz a6bec40e2413fcf5a170ae52f3973e019e60007b 19982 neutron_18.1.0-3_amd64.buildinfo Checksums-Sha256: 049c759e40112a08af1c3ac7ec0baf0882e56aec21d1ad555f4b524557ef94dc 4762 neutron_18.1.0-3.dsc 42af8b7dc069d73c69ae470f6cffdb42e9883786932f8e6f0b88510ebed53bda 39996 neutron_18.1.0-3.debian.tar.xz bc95f76293a4f6d3d7203e6f2e31663bb050390d013cf1b937a0ebc0c1d3ec81 19982 neutron_18.1.0-3_amd64.buildinfo Files: 17c2ce9a03cc6e6b7fa197338a57a714 4762 net optional neutron_18.1.0-3.dsc 6e03682981eea64fd1bbeb83eff21d21 39996 net optional neutron_18.1.0-3.debian.tar.xz 02d8dc2f973f20a816af0909ac0d6480 19982 net optional neutron_18.1.0-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmEvnN4ACgkQ1BatFaxr Q/5t9RAAlZpKWs0alsHWbPp+rfHajndkgd1pQM/4k6CPn0RnZNHEi9Jr/qziw37A ZXHaZF2il6M6+TVIoMXv46BlILvkyD0KQS2iJul5IwYt6OAwyhTIemYmxTEpzL55 XNYmBNVi4ic9OUSpjgxEeiNrL/DxUOoIZdM3XSPfjmkRGIKRXJP76O5MzuEtA9I4 l8WwEMqnCD7bRdtaAHPGHWUH3vejILqHbKEYr7gTfAOOKuXVwn/Abp3hVXTBqSKi YiQRdNi36Y1xQUhEzneZtXWJ8jIdyw2Y185ED3qcSuaPqTZ8tJEG/eYKJd36vdGY QaA39zKS/+n9DHNBShBqzOw9X08kDDbciUkfm+CE6MSwN04p1QVsm57qBxlBba8Z B8j+VzSLJVNWIsFvtjpFdgRWCJ4tvio8GD90m3wHsL9g59f+/qktYlcJKZeI96Aw 54Z6u3iuVACF9ngs5+UsEHt0GDuSCkY9krTBbvi8bXSUcEBWn62j102TRD2girPT TCDNQe7D5glw+Q4XigBQOZTUuCI7o+PIbUQBcxk8vOwGeNRA0kB6sofnpdbjrF5B +ZyQVPL0dZFI3EPg2TuBf6BdHFC8JaVOjoQ1waWlc+eADcC9DpDA6f7nwsLZPIsB cW+SPqMeRJnF3uRDbtVOYCcbE/ZIits/vkdaPmt6eRIC8opGTP8= =UArM -----END PGP SIGNATURE-----
--- End Message ---
