[PKG-Openstack-devel] Bug#742800: CVE-2014-0056: Routers can be cross plugged by other tenants
Thomas Goirand
zigo at debian.org
Thu Mar 27 15:46:33 UTC 2014
Package: python-neutron
Version: 2013.2.2-3
Severity: important
Title: Routers can be cross plugged by other tenants
Reporter: Aaron Rosen (VMWare)
Products: Neutron
Affects: 2012.2 versions up to 2013.2.2
Description:
Aaron Rosen from VMWare reported a vulnerability where Neutron fails to
perform proper authorization checks when creating ports. By choosing a
device id of a router from a different tenant when creating a port, an
authenticated user can access the network of other tenants. This affects
deployments of Neutron using plugins relying on the l3-agent.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/grizzly, stable/havana and master (Icehouse
development branch) on the public disclosure date.
Note from Debian package maintainer: I have the patch and am I'm
uploading a fixed version right away to Sid.
More information about the Openstack-devel
mailing list