[Yahoo-eng-team] [Bug 1818385] Re: [OSSA-2019-001] It's possible to add a security group rule for VRRP with a dport (CVE-2019-9735)

Jeremy Stanley Mon, 18 Mar 2019 09:01:51 -0700

** Changed in: ossa
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1818385

Title:
  [OSSA-2019-001] It's possible to add a security group rule for VRRP
  with a dport (CVE-2019-9735)

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  This command should be invalid, but Neutron (Rocky) allows it to be created.
  > openstack security group rule create xxx --protocol vrrp --ingress 
--remote-ip <ip> --dst-port 112

  Since iptables does not allow dst-port being passed. It would trigger the 
following error on the compute and fail to apply any future iptable rules.
  > unknown option "--dport"

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1818385/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1818385] Re: [OSSA-2019-001] It's possible to add a security group rule for VRRP with a dport (CVE-2019-9735)

Reply via email to