[PKG-Openstack-devel] Bug#796108: CVE-2015-5694 CVE-2015-5695

Kiall Mac Innes kiall at macinnes.ie
Wed Aug 19 14:36:14 UTC 2015

Hey - Upstream Designate maintainer here.

Icehouse - aka 2014.1 - is partially affected by CVE-2015-5695, failure 
to enforce recordset quotas.

This was the less severe of the two CVEs, which we treated as a feature 
not implemented rather than a security issue initially. Additionally, 
the issue could only be exploited through the disabled by default + 
marked experimental V2 API.

Regardless - The patch at [1] should be easy enough to re-work for Icehouse.


[1]: https://launchpadlibrarian.net/211525408/bug-1471161-quotas-kilo.patch

On 19/08/15 09:11, Moritz Muehlenhoff wrote:
> Source: designate
> Severity: grave
> Tags: security
> Hi,
> please see the thread starting here:
> https://marc.info/?l=oss-security&m=143810184926097&w=2
> Can you please check with upstream whether 2014.1 from jessie
> is affected, if so we should fix it.
> Cheers,
>          Moritz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20150819/35c7fae9/attachment.html>

More information about the Openstack-devel mailing list