[ubuntu/trusty-security] nova 1:2014.1.5-0ubuntu1.7 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Oct 11 11:38:52 UTC 2017
nova (1:2014.1.5-0ubuntu1.7) trusty-security; urgency=medium
* SECURITY UPDATE: DoS via instance deletion during migration
- debian/patches/CVE-2015-3241-1.patch: check for resize path on
libvirt instance delete in nova/tests/virt/libvirt/test_libvirt.py,
nova/virt/libvirt/driver.py.
- debian/patches/CVE-2015-3241-1.patch: sync process utils from oslo in
nova/openstack/common/processutils.py.
- debian/patches/CVE-2015-3241-1.patch: kill rsync/scp processes before
deleting instance in nova/tests/virt/libvirt/test_libvirt.py,
nova/tests/virt/libvirt/test_libvirt_utils.py,
nova/virt/libvirt/driver.py, nova/virt/libvirt/instancejobtracker.py,
nova/virt/libvirt/utils.py.
- CVE-2015-3241
* SECURITY UPDATE: DoS via instance deletion during resize
- debian/patches/CVE-2015-3280.patch: delete orphaned instance files
from compute nodes in nova/compute/manager.py,
nova/tests/compute/test_compute_mgr.py.
- CVE-2015-3280
* SECURITY UPDATE: DoS via crafted disk image
- debian/patches/CVE-2015-5162-1.patch: add prlimit parameter to
execute() in nova/openstack/common/prlimit.py,
nova/openstack/common/processutils.py,
nova/tests/openstack_common/test_processutils.py.
- debian/patches/CVE-2015-5162-2.patch: add support for missing process
limits in nova/openstack/common/prlimit.py,
nova/openstack/common/processutils.py,
nova/tests/openstack_common/test_processutils.py.
- debian/patches/CVE-2015-5162-3.patch: set address space & CPU time
limits when running qemu-img in nova/virt/images.py,
nova/tests/virt/libvirt/test_libvirt.py,
nova/tests/virt/libvirt/test_image_utils.py,
nova/tests/virt/libvirt/test_libvirt_utils.py.
- CVE-2015-5162
* SECURITY UPDATE: arbitrary file read via snapshot
- debian/patches/CVE-2015-7548-1.patch: fix format detection in libvirt
snapshot in nova/tests/virt/libvirt/fake_libvirt_utils.py,
nova/tests/virt/libvirt/test_image_utils.py,
nova/tests/virt/libvirt/test_libvirt_utils.py,
nova/virt/libvirt/driver.py, nova/virt/libvirt/utils.py.
- debian/patches/CVE-2015-7548-2.patch: fix format conversion in
libvirt snapshot in nova/tests/virt/libvirt/test_libvirt.py,
nova/virt/images.py, nova/virt/libvirt/imagebackend.py.
- debian/patches/CVE-2015-7548-3.patch: fix backing file detection in
libvirt live snapshot in nova/tests/virt/libvirt/test_libvirt.py,
nova/tests/virt/libvirt/fake_libvirt_utils.py, nova/virt/images.py,
nova/virt/libvirt/driver.py, nova/virt/libvirt/utils.py.
- debian/patches/CVE-2015-7548-4.patch: disable live snapshot for
rbd-backed instances in nova/virt/libvirt/driver.py.
- CVE-2015-7548
* SECURITY UPDATE: restriction bypass via security group changes
- debian/patches/CVE-2015-7713.patch: don't expect meta attributes in
object_compat that aren't in the db obj in nova/compute/manager.py,
nova/tests/compute/test_compute.py.
- CVE-2015-7713
* SECURITY UPDATE: password disclosure via xen log files
- debian/patches/CVE-2015-8749.patch: mask passwords in volume
connection_data dict in nova/virt/xenapi/volume_utils.py.
- CVE-2015-8749
* SECURITY UPDATE: arbitrary file read via crafted qcow2 header
- debian/patches/CVE-2016-2140-1.patch: always copy or recreate
disk.info during a migration in nova/virt/libvirt/driver.py,
nova/tests/virt/libvirt/test_libvirt.py.
- debian/patches/CVE-2016-2140-2.patch: fix processing of libvirt
disk.info in non-disk-image cases in nova/virt/libvirt/driver.py,
nova/tests/virt/libvirt/test_libvirt.py.
- debian/patches/CVE-2016-2140-3.patch: decode disk_info before use in
nova/tests/virt/libvirt/test_libvirt.py, nova/virt/libvirt/driver.py.
- CVE-2016-2140
* Thanks to Red Hat for the backports many of these patches are based on.
nova (1:2014.1.5-0ubuntu1.6) trusty; urgency=medium
* Allow evacuate for an instance in the Error state (LP: #1298061)
- d/p/remove_useless_state_check.patch remove unnecessary task_state check
- d/p/evacuate_error_vm.patch Allow evacuate from error state
nova (1:2014.1.5-0ubuntu1.5) trusty; urgency=medium
* Fix live migration usage of the wrong connector (LP: #1475411)
- d/p/Fix-live-migrations-usage-of-the-wrong-connector-inf.patch
* Fix wrong used ProcessExecutionError exception (LP: #1308839)
- d/p/Fix-wrong-used-ProcessExecutionError-exception.patch
* Clean up iSCSI multipath devices in Post Live Migration (LP: #1357368)
- d/p/Clean-up-iSCSI-multipath-devices-in-Post-Live-Migrat.patch
* Detach iSCSI latest path for latest disk (LP: #1374999)
- d/p/Detach-iSCSI-latest-path-for-latest-disk.patch
nova (1:2014.1.5-0ubuntu1.4) trusty; urgency=medium
* Protect against possible rpcapi mismatch on upgrade (LP: #1506257)
- d/p/protect-against-upgrade-rpc-ver-mismatch.patch
nova (1:2014.1.5-0ubuntu1.3) trusty; urgency=medium
* Attempting to attach the same volume multiple times can cause
bdm record for existing attachment to be deleted. (LP: #1349888)
- d/p/fix-creating-bdm-for-failed-volume-attachment.patch
nova (1:2014.1.5-0ubuntu1.2) trusty; urgency=medium
* Add rsyslog retry support (LP: #1459046)
- d/p/add-support-for-syslog-connect-retries.patch
* Add vm clean shutdown support (LP: #1196924)
- d/p/clean-shutdown.patch
nova (1:2014.1.5-0ubuntu1.1) trusty; urgency=medium
[ Edward Hope-Morley ]
- d/nova-compute.upstart: Fix (another) race between nova-compute
and neutron-ovs-cleanup (LP: #1471022)
nova (1:2014.1.5-0ubuntu1) trusty; urgency=medium
* Resynchronize with stable/icehouse (08b5d48) (LP: #1467533):
- [74295ed] Use ebtables to isolate dhcp traffic
- [a83eb5f] VMware: fix AttributeError: TaskInfo instance has no attribute 'name'
- [8876294] libvirt: partial fix for live-migration with config drive
- [b77c188] Type conflict in trusted_filter.py using attestation_port default value
- [378a8d4] Use instance.uuid instead of instance
- [c12f21d] Make test_version_string_with_package_is_good work with pbr 0.11
- [1668178] Moves trusted filter unit tests into own file
- [4812617] Use hypervisor hostname for compute trust level
- [d8853ee] Recover from POWERING-* state on compute manager start-up
- [0784b0c] Avoid referring to juno-era exception type
- [f513a28] libvirt: Make sure volumes are well detected during block migration
- [68ec684] libvirt: avoid changing UUID when redefining nwfilters
- [cc86ef5] delete python bytecode before every test run
- [3501ec2] Drop use of oslo.utils in nova
- [392dc22] Eventlet green threads not released back to pool
- [1e03160] Sync strutils from oslo-incubator for mask_password fix
- [7292c02] Allow instances to attach to shared external nets
- [dbc348d] Fix libvirt watchdog support
- [08b5d48] HyperV Driver - Fix to implement hypervisor-uptime
* d/p/drop-oslo-utils-usage.patch: Dropped; Fixed upstream.
* d/p/recover-from-power-state-on-compute.patch: Dropped; Fixed upstream.
* d/p/fix-requirements.patch: Rebased.
nova (1:2014.1.4-0ubuntu2.1) trusty; urgency=medium
* Ensure that compute manager restarts during instance power
operations don't leave instances stuck in transitional task
states (LP: #1304333):
- d/p/recover-from-power-state-on-compute.patch
Cherry pick backport of upstream fix from OpenStack >= Juno.
nova (1:2014.1.4-0ubuntu2) trusty; urgency=medium
[ Edward Hope-Morley ]
* Fixed race between nova-compute and neutron-ovs-cleanup (LP: #1420572)
[ Corey Bryant ]
* d/control: Set minimum python-six dependency to 1.5.2 (LP: #1403114).
nova (1:2014.1.4-0ubuntu1) trusty; urgency=medium
* Resynchronize with stable/icehouse (cac6472) (LP: #1432608):
- [0ff6742] Websocket Proxy should verify Origin header
- [c70e1fb] Fix kwargs['instance'] KeyError in @reverts_task_state decorator
- [07ec12c] Revert "Eventlet green threads not released back to pool"
- [e9cf07b] Compute: Catch binding failed exception while init host
- [e275961] Make tests use sha256 as openssl default digest algorithm
- [a657582] Eventlet green threads not released back to pool
- [4b46a86] Fix image metadata returned for volumes
- [58a6393] Check min_ram and min_disk when boot from volume
- [c5411d2] Extends use of ServiceProxy to more methods in HostAPI in cells
- [1e2abd6] Remove usage of self.__dict__ for message var replacement
- [54f9225] only emit deprecation warnings once
- [52103be] Fix disconnecting necessary iSCSI sessions issue
- [cca94d0] Fix connecting unnecessary iSCSI sessions issue
- [ac9f5c7] Fix wrong command for _rescan_multipath
- [d7c8e93] Fix unsafe SSL connection on TrustedFilter
- [9ecc468] Fix SecurityGroupExists error when booting instances
- [33be7d7] Update "num_instance" during delete instance
- [3de3f10] Fix nova evacuate issues for RBD
- [fe289fb] Fix nova-compute start issue after evacuate
- [f781656] Add _security_group_ensure_default() DBAPI method
- [8812672] Run build_and_run_instance in a separate greenthread
- [b6a080b] Fixes DOS issue in instance list ip filter
- [5ab0421] Make the block device mapping retries configurable
- [0695e14] Retry on closing of luks encrypted volume in case device is busy
- [dffa810] Add @_retry_on_deadlock to _instance_update()
- [f086ca3] Nova api service doesn't handle SIGHUP properly
- [7cdb643] Fix XML UnicodeEncode serialization error
- [98a6c1e] postgresql: use postgres db instead of template1
- [155664f] share neutron admin auth tokens
- [3e80433] VMware: validate that VM exists on backend prior to deletion
- [d71445c] VMWare: Fix VM leak when deletion of VM during resizing
- [56b62b7] Sync process utils from oslo
- [ddd62ff] VMware: prevent race condition with VNC port allocation
- [4174130] Fixes Hyper-V volume mapping issue on reboot
- [bfeae68] Fix CellStateManagerFile init to failure
- [5ec3cd3] Raise descriptive error for over volume quota
- [f9fad7a] Fixes missing ec2 api address disassociate error on failure
- [64ec1bf] Fix instance cross AZ check when attaching volumes
- [698c821] Ignore errors when deleting non-existing vifs
- [8141e7a] libvirt: Handle unsupported host capabilities
- [df9ead9] libvirt: Make `fakelibvirt.libvirtError` match
- [cac6472] Add _wrap_db_error() support to SessionTransaction.commit()
* d/p/drop-oslo-utils-usage.patch: Added to override new oslo.utils dep.
* d/p/disable-websockify-tests.patch: Added to disable websockify tests.
* d/p/block-device-mapping-config.patch: Dropped. Fixed upstream in [5ab0421].
* d/p/libvirt-Handle-unsupported-host-capabilities.patch: Dropped. Fixed
upstream in [8141e7a] and [df9ead9].
* d/p/cells-json-store.patch: Dropped. Fixed upstream in [bfeae68].
* d/p/fix-requirements.patch: Rebased.
* d/p/update-run-tests.patch: Run tests with default concurrencey.
nova (1:2014.1.3-0ubuntu2) trusty; urgency=medium
[ Corey Bryant ]
* d/p/block-device-mapping-config.patch: Make the block device mapping
retries configurable (LP: #1376927).
Date: 2017-09-13 19:23:13.502358+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/nova/1:2014.1.5-0ubuntu1.7
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes
mailing list