Date: Wed, 11 Dec 2013 15:50:58 +0000 From: Jeremy Stanley <jeremy@...nstack.org> To: oss-security@...ts.openwall.com Subject: [OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426) [Apologies for the duplicate--forgot to sign the previous one.] OpenStack Security Advisory: 2013-034 CVE: CVE-2013-6426 Date: December 11, 2013 Title: Heat CFN policy rules not all enforced Reporter: Steven Hardy (Red Hat) Products: Heat Affects: All supported releases Description: Steven Hardy from Red Hat reported a vulnerability in Heat's default API policy enforcement. By calling the CreateStack or UpdateStack methods, an in-instance user may be able to create or update a stack in violation of the default policy. Only setups using Heat's cloudformation-compatible API are affected. Icehouse (development branch) fix: https://review.openstack.org/61452 Havana fix: https://review.openstack.org/61454 Notes: This fix will be included in the icehouse-2 development milestone and in a future 2013.2.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6426 https://launchpad.net/bugs/1256049 -- Jeremy Stanley OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (967 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.