Data retained after deletion of a ScaleIO volume
---
### Summary ###
Certain storage volume configurations allow newly created volumes to
contain previous data. This could lead to leakage of sensitive
information between tenants.
### Affected Services / Software ###
Cinder releases up to and incl
Keystone policy rule "identity:get_identity_providers" was ignored
---
### Summary ###
A policy rule in Keystone did not behave as intended leading to a less
secure configuration than would be expected.
### Affected Services / Software ###
OpenStack Identity Service (Keystone) versions through Mi
tions ###
Operators should update the dnsmasq service using the affected nodes
operating systems packaging tools to version 2.78 and later, or a
distribution packaged version that contains relevant backports for these
vulnerabilities.
### Contacts / References ###
Author: Luke Hinds
This OSSN :
operators upgrade to the Pike release where all
future passwords would be bcrypt hashed.
Operators should also force password changes on all users [1], which
will result in the users newly generated passwords being bcrypt hashed.
### Contacts / References ###
Author: Luke Hinds
[1]:
https
Bitter, Red Hat
Author: Luke Hinds, Red Hat
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12440
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0080
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1649333
OpenStack Security Project : https://launchpad.net/
running qemu version 2.6 or
later, and libvirt version 2.2 or later, are not vulnerable.
No change is required in Nova or Ceph to resolve this issue.
### Contacts / References ###
Author: Luke Hinds, Red Hat
https://access.redhat.com/security/cve/CVE-2015-5160
This OSSN : https://wiki.openstack.org/wiki
.
Existing deployments can limit policy on `copy_from` by restricting use
to `admin` within `policy.json` as follows:
"copy_from": "role:admin"
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0078
Original L
Users of Glance may be able to replace active image data
---
### Summary ###
When Glance has been configured with the "show_multiple_locations"
option enabled with default policy for set and delete locations, it is
possible for a non-admin user having write access to the image metadata
to replace
OpenStack Security Note: 0074
Nova metadata service should not be used for sensitive information
---
### Summary ###
A recent security report has highlighted how users may be using the
metadata service to store security sensitive information.
The Nova metadata service should not be considered a
OSSN previously incorrectly stated that the fix was back ported to
Liberty release. This is not the case and the fix was applied only to
Mitaka.
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066
Original LaunchPad Bug : https://bug
to the role admin only, amend
`/etc/glance/policy.json` accordingly.
"add_image": "role:admin",
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0076
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+b
is applies to all MongoDB clusters, and requires a
restart of the trove-api service to change, and cannot be toggled on
running clusters.
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0066
Original LaunchPad Bug : https://bugs.lau
Deleted Glance image IDs may be reassigned
---
### Summary ###
It is possible for image IDs from deleted images to be reassigned to
other images. This creates the possibility that:
- Alice creates a VM that boots from image ID X which has been shared
with her by a trusted party, Bob.
- Bob (i
Horizon dashboard leaks internal information through cookies
---
### Summary ###
When horizon is configured, its URL contains the IP address of
the internal URL of keystone, as the default value for the identity
service is "internalURL".[1]
The cookie "login_region" will be set to the value confi
/ References ###
Author: Vinay Potluri, Intel & Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0069
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1534652
This issue was referenced in https://bugs.launchpad.net/Neutron/+bug/1459856
Related issue addresse
On Sun, Sep 4, 2016 at 7:44 PM, Turbo Fredriksson wrote:
> On Sep 4, 2016, at 7:25 PM, Karishma Sharma wrote:
>
> > Is it DevStack that I need to build or something else?
>
> _Personally_ I prefer to learn the hard way. That is, install the
> package(s) and configure them manually.
>
> It takes l
Bandit versions lower than 1.1.0 do not escape HTML in issue reports
---
### Summary ###
Bandit versions lower than 1.1.0 have a bug in the HTML report formatter
that does not escape HTML in issue context snippets. This could lead to
an XSS if HTML reports are hosted as part of a CI pipeline.
##
entos-7)
# mod_security #####
https://www.modsecurity.org/
### Contacts / References ###
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0068
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1553324
OpenStack Security ML : openstack-secur...@lists.o
18 matches
Mail list logo
