[월:] 2017년 10월

USN-3446-1: OpenStack Glance vulnerabilities Ubuntu Security Notice USN-3446-1 11th October, 2017 glance vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary Several security issues were fixed in OpenStack Glance. Software description glance – OpenStack Image Registry and Delivery Service Details Hemanth Makkapati discovered that OpenStack Glance incorrectly handledaccess restrictions. A remote authenticated user could use this issue tochange the status of images, contrary to access restrictions.(CVE-2015-5251) Mike Fedosin and Alexei Galkin discovered that OpenStack Glance incorrectlyhandled the storage quota. A remote authenticated user could use this issueto consume disk resources, leading to a denial of service. (CVE-2015-5286) Erno Kuvaja discovered that OpenStack Glance incorrectly handled theshow_multiple_locations option. When show_multiple_locations is enabled,a remote authenticated user could change an image status and upload newimage data. (CVE-2016-0757) Update instructions The problem can be corrected by updating [ more… ]

USN-3447-1: OpenStack Horizon vulnerability Ubuntu Security Notice USN-3447-1 11th October, 2017 horizon vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary OpenStack Horizon could be made to expose sensitive information over the network. Software description horizon – Web interface for OpenStack cloud infrastructure Details Beth Lancaster and Brandon Sawyers discovered that OpenStack Horizon wasincorrect protected against cross-site scripting (XSS) attacks. A remoteauthenticated user could use this issue to inject web script or HTML ina dashboard form. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 14.04 LTS: openstack-dashboard 1:2014.1.5-0ubuntu2.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2016-4428 Source: USN-3447-1: OpenStack Horizon vulnerability

USN-3448-1: OpenStack Keystone vulnerability Ubuntu Security Notice USN-3448-1 11th October, 2017 keystone vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary OpenStack Keystone would allow unintended access over the network. Software description keystone – OpenStack identity service Details Boris Bobrov discovered that OpenStack Keystone incorrectly handledfederation mapping when there are rules in which group-based assignmentsare not used. A remote authenticated user may receive all the rolesassigned to a project regardless of the federation mapping, contrary toexpectations. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.04 LTS: keystone 2:9.3.0-0ubuntu3.1 python-keystone 2:9.3.0-0ubuntu3.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2017-2673 Source: USN-3448-1: OpenStack Keystone vulnerability

USN-3449-1: OpenStack Nova vulnerabilities Ubuntu Security Notice USN-3449-1 11th October, 2017 nova vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary Several security issues were fixed in OpenStack Nova. Software description nova – OpenStack Compute cloud infrastructure Details George Shuklin discovered that OpenStack Nova incorrectly handled themigration process. A remote authenticated user could use this issue toconsume resources, resulting in a denial of service. (CVE-2015-3241) George Shuklin and Tushar Patil discovered that OpenStack Nova incorrectlyhandled deleting instances. A remote authenticated user could use thisissue to consume disk resources, resulting in a denial of service.(CVE-2015-3280) It was discovered that OpenStack Nova incorrectly limited qemu-img calls. Aremote authenticated user could use this issue to consume resources,resulting in a denial of service. (CVE-2015-5162) Matthew Booth discovered that OpenStack Nova incorrectly handled snapshots.A remote authenticated user could [ more… ]

USN-3450-1: Open vSwitch vulnerabilities Ubuntu Security Notice USN-3450-1 11th October, 2017 openvswitch vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Summary Several security issues were fixed in Open vSwitch. Software description openvswitch – Ethernet virtual switch Details Bhargava Shastry discovered that Open vSwitch incorrectly handled certainOFP messages. A remote attacker could possibly use this issue to causeOpen vSwitch to crash, resulting in a denial of service. (CVE-2017-9214) It was discovered that Open vSwitch incorrectly handled certain OpenFlowrole messages. A remote attacker could possibly use this issue to causeOpen vSwitch to crash, resulting in a denial of service. (CVE-2017-9263) It was discovered that Open vSwitch incorrectly handled certain malformedpackets. A remote attacker could possibly use this issue to cause OpenvSwitch to crash, resulting in a denial of service. This issue onlyaffected Ubuntu [ more… ]