[Bug 968411] Re: [Precise] nova is vulnerable to CVE-2012-1585

[Launchpad Bug Tracker]

This bug was fixed in the package nova - 2012.1~rc2-0ubuntu1

---------------
nova (2012.1~rc2-0ubuntu1) precise; urgency=low

  [ Adam Gandelman ]
  * debian/control: Remove unncessary nova-cert dependency from nova-api.
    (LP: #965356)
  * debian/nova-common.postinst: Clean up spacing, remove redundant chown,
    set blanket 0700 nova.nova permissions on /etc/nova/
  * debian/nova-compute-{kvm, lxc, uml, xen}.postinst: Set proper permissions
    on /etc/nova/nova-compute.conf (LP: #861459)
  * debian/nova-common.postinst:  Ensure default nova.sqlite database is not
    world-readable.
  * debian/{rules, nova-common.{install, postinst}}: Install api-paste.ini 0600
    with nova-common (in prepartion for proper nova-api-* package separation)
  * debian/{nova-common.nova-manage.logrotate,
    nova-network.nova-dhcpbridge.logrotate, rules}: Add lograte files,
    override_dh_installlogrotate. (LP: #942646)
  * Add manpage stubs for nova-api-ec2, nova-api-metadata,
    nova-api-os-{volume, compute}, nova-rootwrap. Use sphinx built manpage
    for nova-manage (nova-common.manpages)
  * debian/nova-compute-{kvm, xen, uml, qemu}.postinst: Remove calls to
    adduser since this is already handled from nova-compute.postsinst in a
    vendor neutral way.  Silences lintian errors regarding adduser dependency

  [ Chuck Short ]
  * New upstream version.
  * debian/patches/libvirt-use-console-pipe.patch: Dropped.
  * debian/patches/nova-console-monitor.patch: Add console-monitor
    option.
  * debian/nova.conf: Enable use_console_monitor
  * debian/patches/fix-ubuntu-tests.patch: Fix nova testsuite.
  * debian/rules: fail package build if testsuite fails.
  * debian/patches/validate_server_name_length.patch: Dropped no longer
    needed.
  * debian/patches/fix-docs-build-without-network.patch: Some docs need
    a network connection in order to build. Disable fetching docs from
    the internet.
  * debian/patches/0001-fix-useexisting-deprecation-warnings.patch:
    Remove deprecated warnings with sqlalchemy.

  [ Tyler Hicks ]
  * SECURITY UPDATE: Denial of service via resource exhaustion in nova-api
    (LP: #968411)
    - debian/patches/validate_server_name_length.patch: Limit server names
      to a maximum of 255 characters to prevent nova-api log files from
      exhausting storage space. Based on upstream patch.
    - CVE-2012-1585
 -- Chuck Short <zul...@ubuntu.com>   Mon, 02 Apr 2012 11:17:33 -0400

** Changed in: nova (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/968411

Title:
  [Precise] nova is vulnerable to CVE-2012-1585

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/968411/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs