[ubuntu/trusty-security] nova 1:2014.1.5-0ubuntu1.7 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Wed Oct 11 11:38:52 UTC 2017

nova (1:2014.1.5-0ubuntu1.7) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via instance deletion during migration
    - debian/patches/CVE-2015-3241-1.patch: check for resize path on
      libvirt instance delete in nova/tests/virt/libvirt/test_libvirt.py,
    - debian/patches/CVE-2015-3241-1.patch: sync process utils from oslo in
    - debian/patches/CVE-2015-3241-1.patch: kill rsync/scp processes before
      deleting instance in nova/tests/virt/libvirt/test_libvirt.py,
      nova/virt/libvirt/driver.py, nova/virt/libvirt/instancejobtracker.py,
    - CVE-2015-3241
  * SECURITY UPDATE: DoS via instance deletion during resize
    - debian/patches/CVE-2015-3280.patch: delete orphaned instance files
      from compute nodes in nova/compute/manager.py,
    - CVE-2015-3280
  * SECURITY UPDATE: DoS via crafted disk image
    - debian/patches/CVE-2015-5162-1.patch: add prlimit parameter to
      execute() in nova/openstack/common/prlimit.py,
    - debian/patches/CVE-2015-5162-2.patch: add support for missing process
      limits in nova/openstack/common/prlimit.py,
    - debian/patches/CVE-2015-5162-3.patch: set address space & CPU time
      limits when running qemu-img in nova/virt/images.py,
    - CVE-2015-5162
  * SECURITY UPDATE: arbitrary file read via snapshot
    - debian/patches/CVE-2015-7548-1.patch: fix format detection in libvirt
      snapshot in nova/tests/virt/libvirt/fake_libvirt_utils.py,
      nova/virt/libvirt/driver.py, nova/virt/libvirt/utils.py.
    - debian/patches/CVE-2015-7548-2.patch: fix format conversion in
      libvirt snapshot in nova/tests/virt/libvirt/test_libvirt.py,
      nova/virt/images.py, nova/virt/libvirt/imagebackend.py.
    - debian/patches/CVE-2015-7548-3.patch: fix backing file detection in
      libvirt live snapshot in nova/tests/virt/libvirt/test_libvirt.py,
      nova/tests/virt/libvirt/fake_libvirt_utils.py, nova/virt/images.py,
      nova/virt/libvirt/driver.py, nova/virt/libvirt/utils.py.
    - debian/patches/CVE-2015-7548-4.patch: disable live snapshot for
      rbd-backed instances in nova/virt/libvirt/driver.py.
    - CVE-2015-7548
  * SECURITY UPDATE: restriction bypass via security group changes
    - debian/patches/CVE-2015-7713.patch: don't expect meta attributes in
      object_compat that aren't in the db obj in nova/compute/manager.py,
    - CVE-2015-7713
  * SECURITY UPDATE: password disclosure via xen log files
    - debian/patches/CVE-2015-8749.patch: mask passwords in volume
      connection_data dict in nova/virt/xenapi/volume_utils.py.
    - CVE-2015-8749
  * SECURITY UPDATE: arbitrary file read via crafted qcow2 header
    - debian/patches/CVE-2016-2140-1.patch: always copy or recreate
      disk.info during a migration in nova/virt/libvirt/driver.py,
    - debian/patches/CVE-2016-2140-2.patch: fix processing of libvirt
      disk.info in non-disk-image cases in nova/virt/libvirt/driver.py,
    - debian/patches/CVE-2016-2140-3.patch: decode disk_info before use in
      nova/tests/virt/libvirt/test_libvirt.py, nova/virt/libvirt/driver.py.
    - CVE-2016-2140
  * Thanks to Red Hat for the backports many of these patches are based on.

nova (1:2014.1.5-0ubuntu1.6) trusty; urgency=medium

  * Allow evacuate for an instance in the Error state (LP: #1298061)
    - d/p/remove_useless_state_check.patch remove unnecessary task_state check
    - d/p/evacuate_error_vm.patch Allow evacuate from error state

nova (1:2014.1.5-0ubuntu1.5) trusty; urgency=medium

  * Fix live migration usage of the wrong connector (LP: #1475411)
    - d/p/Fix-live-migrations-usage-of-the-wrong-connector-inf.patch
  * Fix wrong used ProcessExecutionError exception (LP: #1308839)
    - d/p/Fix-wrong-used-ProcessExecutionError-exception.patch
  * Clean up iSCSI multipath devices in Post Live Migration (LP: #1357368)
    - d/p/Clean-up-iSCSI-multipath-devices-in-Post-Live-Migrat.patch
  * Detach iSCSI latest path for latest disk (LP: #1374999)
    - d/p/Detach-iSCSI-latest-path-for-latest-disk.patch

nova (1:2014.1.5-0ubuntu1.4) trusty; urgency=medium

  * Protect against possible rpcapi mismatch on upgrade (LP: #1506257)
    - d/p/protect-against-upgrade-rpc-ver-mismatch.patch

nova (1:2014.1.5-0ubuntu1.3) trusty; urgency=medium

  * Attempting to attach the same volume multiple times can cause
    bdm record for existing attachment to be deleted. (LP: #1349888)
    - d/p/fix-creating-bdm-for-failed-volume-attachment.patch

nova (1:2014.1.5-0ubuntu1.2) trusty; urgency=medium

  * Add rsyslog retry support (LP: #1459046)
    - d/p/add-support-for-syslog-connect-retries.patch
  * Add vm clean shutdown support (LP: #1196924)
    - d/p/clean-shutdown.patch

nova (1:2014.1.5-0ubuntu1.1) trusty; urgency=medium

    [ Edward Hope-Morley ]
    - d/nova-compute.upstart: Fix (another) race between nova-compute
      and neutron-ovs-cleanup (LP: #1471022)

nova (1:2014.1.5-0ubuntu1) trusty; urgency=medium

  * Resynchronize with stable/icehouse (08b5d48) (LP: #1467533):
    - [74295ed] Use ebtables to isolate dhcp traffic
    - [a83eb5f] VMware: fix AttributeError: TaskInfo instance has no attribute 'name'
    - [8876294] libvirt: partial fix for live-migration with config drive
    - [b77c188] Type conflict in trusted_filter.py using attestation_port default value
    - [378a8d4] Use instance.uuid instead of instance
    - [c12f21d] Make test_version_string_with_package_is_good work with pbr 0.11
    - [1668178] Moves trusted filter unit tests into own file
    - [4812617] Use hypervisor hostname for compute trust level
    - [d8853ee] Recover from POWERING-* state on compute manager start-up
    - [0784b0c] Avoid referring to juno-era exception type
    - [f513a28] libvirt: Make sure volumes are well detected during block migration
    - [68ec684] libvirt: avoid changing UUID when redefining nwfilters
    - [cc86ef5] delete python bytecode before every test run
    - [3501ec2] Drop use of oslo.utils in nova
    - [392dc22] Eventlet green threads not released back to pool
    - [1e03160] Sync strutils from oslo-incubator for mask_password fix
    - [7292c02] Allow instances to attach to shared external nets
    - [dbc348d] Fix libvirt watchdog support
    - [08b5d48] HyperV Driver - Fix to implement hypervisor-uptime
  * d/p/drop-oslo-utils-usage.patch: Dropped; Fixed upstream.
  * d/p/recover-from-power-state-on-compute.patch: Dropped; Fixed upstream.
  * d/p/fix-requirements.patch: Rebased.

nova (1:2014.1.4-0ubuntu2.1) trusty; urgency=medium

  * Ensure that compute manager restarts during instance power
    operations don't leave instances stuck in transitional task
    states (LP: #1304333):
    - d/p/recover-from-power-state-on-compute.patch
      Cherry pick backport of upstream fix from OpenStack >= Juno.

nova (1:2014.1.4-0ubuntu2) trusty; urgency=medium

  [ Edward Hope-Morley ]
  * Fixed race between nova-compute and neutron-ovs-cleanup (LP: #1420572)

  [ Corey Bryant ]
  * d/control: Set minimum python-six dependency to 1.5.2 (LP: #1403114).

nova (1:2014.1.4-0ubuntu1) trusty; urgency=medium

  * Resynchronize with stable/icehouse (cac6472) (LP: #1432608):
    - [0ff6742] Websocket Proxy should verify Origin header
    - [c70e1fb] Fix kwargs['instance'] KeyError in @reverts_task_state decorator
    - [07ec12c] Revert "Eventlet green threads not released back to pool"
    - [e9cf07b] Compute: Catch binding failed exception while init host
    - [e275961] Make tests use sha256 as openssl default digest algorithm
    - [a657582] Eventlet green threads not released back to pool
    - [4b46a86] Fix image metadata returned for volumes
    - [58a6393] Check min_ram and min_disk when boot from volume
    - [c5411d2] Extends use of ServiceProxy to more methods in HostAPI in cells
    - [1e2abd6] Remove usage of self.__dict__ for message var replacement
    - [54f9225] only emit deprecation warnings once
    - [52103be] Fix disconnecting necessary iSCSI sessions issue
    - [cca94d0] Fix connecting unnecessary iSCSI sessions issue
    - [ac9f5c7] Fix wrong command for _rescan_multipath
    - [d7c8e93] Fix unsafe SSL connection on TrustedFilter
    - [9ecc468] Fix SecurityGroupExists error when booting instances
    - [33be7d7] Update "num_instance" during delete instance
    - [3de3f10] Fix nova evacuate issues for RBD
    - [fe289fb] Fix nova-compute start issue after evacuate
    - [f781656] Add _security_group_ensure_default() DBAPI method
    - [8812672] Run build_and_run_instance in a separate greenthread
    - [b6a080b] Fixes DOS issue in instance list ip filter
    - [5ab0421] Make the block device mapping retries configurable
    - [0695e14] Retry on closing of luks encrypted volume in case device is busy
    - [dffa810] Add @_retry_on_deadlock to _instance_update()
    - [f086ca3] Nova api service doesn't handle SIGHUP properly
    - [7cdb643] Fix XML UnicodeEncode serialization error
    - [98a6c1e] postgresql: use postgres db instead of template1
    - [155664f] share neutron admin auth tokens
    - [3e80433] VMware: validate that VM exists on backend prior to deletion
    - [d71445c] VMWare: Fix VM leak when deletion of VM during resizing
    - [56b62b7] Sync process utils from oslo
    - [ddd62ff] VMware: prevent race condition with VNC port allocation
    - [4174130] Fixes Hyper-V volume mapping issue on reboot
    - [bfeae68] Fix CellStateManagerFile init to failure
    - [5ec3cd3] Raise descriptive error for over volume quota
    - [f9fad7a] Fixes missing ec2 api address disassociate error on failure
    - [64ec1bf] Fix instance cross AZ check when attaching volumes
    - [698c821] Ignore errors when deleting non-existing vifs
    - [8141e7a] libvirt: Handle unsupported host capabilities
    - [df9ead9] libvirt: Make `fakelibvirt.libvirtError` match
    - [cac6472] Add _wrap_db_error() support to SessionTransaction.commit()
  * d/p/drop-oslo-utils-usage.patch: Added to override new oslo.utils dep.
  * d/p/disable-websockify-tests.patch: Added to disable websockify tests.
  * d/p/block-device-mapping-config.patch: Dropped. Fixed upstream in [5ab0421].
  * d/p/libvirt-Handle-unsupported-host-capabilities.patch: Dropped. Fixed
    upstream in [8141e7a] and [df9ead9].
  * d/p/cells-json-store.patch: Dropped. Fixed upstream in [bfeae68].
  * d/p/fix-requirements.patch: Rebased.
  * d/p/update-run-tests.patch: Run tests with default concurrencey.

nova (1:2014.1.3-0ubuntu2) trusty; urgency=medium

  [ Corey Bryant ]
  * d/p/block-device-mapping-config.patch: Make the block device mapping
    retries configurable (LP: #1376927).

Date: 2017-09-13 19:23:13.502358+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Trusty-changes mailing list