Date: Wed, 10 Dec 2014 14:41:51 -0500 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-039.1] Neutron DoS through invalid DNS configuration (CVE-2014-7821) ERRATA 1 OpenStack Security Advisory: 2014-039 (ERRATA 1) CVE: CVE-2014-7821 Date: December 10, 2014 Title: Neutron DoS through invalid DNS configuration Reporter: Henry Yamauchi, Charles Neill and Michael Xin (Rackspace) Products: Neutron Versions: up to 2014.1.3 and 2014.2 Description: Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported a vulnerability in Neutron. By configuring a maliciously crafted dns_nameservers an authenticated user may crash Neutron service resulting in a denial of service attack. All Neutron setups are affected. Errata: The former fix did not take into account the usage of hostnames as nameserver and caused a regression for this use-case. This update provides an additional fix for that issue. Kilo (development branch) fixes: https://review.openstack.org/135616 (original) https://review.openstack.org/137560 (errata) Juno fixes: https://review.openstack.org/135623 (original) https://review.openstack.org/139061 (errata) Icehouse fixes: https://review.openstack.org/135624 (original) https://review.openstack.org/139063 (errata) Notes: These fixes are included in the 2014.2.1 release and will be included in a future 2014.1.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7821 https://launchpad.net/bugs/1378450 OSSA History: 2014-12-10 - Errata 1 2014-11-19 - Original Version -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (539 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.