[PKG-Openstack-devel] Bug#755134: CVE-2014-3555: Denial of Service in Neutron allowed address pair
Thomas Goirand
zigo at debian.org
Fri Jul 18 02:30:45 UTC 2014
Package: neutron
Version: 2014.1.1-2
Severity: normal
Tags: security patch
pre-OSS announce below before my upload including upstream fix.
Title: Denial of Service in Neutron allowed address pair
Reporter: Liping Mao (Cisco)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.1
Description:
Liping Mao from Cisco reported a denial of service vulnerability in
Neutron's handling of allowed address pair. By creating a large number
of allowed address pairs, an authenticated user may overwhelm neutron
firewall rules and render compute nodes unusable. All Neutron setups are
affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/havana, stable/icehouse and master (Juno
development branch) on the public disclosure date.
CVE: CVE-2014-3555
Proposed public disclosure date/time:
2014-07-17, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.
Regards,
Tristan Cacqueray
OpenStack Vulnerability Management Team
More information about the Openstack-devel
mailing list