Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAE4Awf_8r72i26qrxxiK_DUuysdM35n0Pwf15nicTSXNE71Cug@mail.gmail.com>
Date: Tue, 9 Apr 2019 10:51:04 -0500
From: Gage Hugo <gagehugo@...il.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2019-002] neutron-openvswitch-agent: Unable to install new flows
 on compute nodes when having broken security group rules (CVE-2019-10876)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

===========================================================================================
OSSA-2019-002: Overlapping security group rules prevents compute node
network configuration
===========================================================================================

:Date: April 08, 2019
:CVE: CVE-2019-10876


Affects
~~~~~~~
- - Neutron: >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3


Description
~~~~~~~~~~~
Diko Parvanov (Canonical) reported a vulnerability in neutron-
openvswitch-agent security group rules. By creating two security
groups with separate/overlapping port ranges, an authenticated user
may prevent neutron from being able to configure networks on any
compute nodes where those security groups are present. All neutron
deployments utilizing neutron-openvswitch-agent are affected.


Patches
~~~~~~~
- - https://review.openstack.org/648102 (Pike)
- - https://review.openstack.org/648004 (Queens)
- - https://review.openstack.org/648003 (Rocky)
- - https://review.openstack.org/648002 (Stein)
- - https://review.openstack.org/640252 (Train)


Credits
~~~~~~~
- - Diko Parvanov from Canonical (CVE-2019-10876)


References
~~~~~~~~~~
- - https://launchpad.net/bugs/1813007
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10876
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAlysvccACgkQ56j9K3b+
vREj3BAAvVBLfJT/cOyk2VjXjvlNKBWs1uokNE5PwzT0M2kvEW42zG78JpJj9EyJ
ONQMCiuclWJ6XcBLBhDG2MHzl31Rqnfhi1UxQoUPwZYtgTcokLa4NaGCQUMrRwpq
vigC8zWA9SiIQBHp4b/HE1ZA0GCKgK5CS2OuqmQH25/AzIDqwZZ7ljstRMh28VDd
PnorJwifeKq1uUL1AGRWmDUvfYaqzTbMxNlUcrXt2Iy50VLxdokmD+PtZMLvb7lq
UcpJ7R/er6HipNDE42hNzQAgEoPBNJ3hwEiLU64ZPCxSCMeKos5d2yAPNwLUYwdm
lVYJQtW1GkNDLvY37pHOFzFCK2XhjKQB29iZjz5ipC9EKs1HLnxCfJfvIS+bK3Bt
c3R0frUOOiDPeP+so1edl1f0eZJlhzV3SlFsLfLfFa1BYTxj6uuQdSaPaOTCGaLN
4TLAtysGl+USvXirOH+F/vuz9P0LOlL4f86/gwNY9Asb27MmKZFtUhQLux/k34Xg
gwSFtWTKqLJWrZjlGL/9irh6PiS6myrPCxsYh8XXOpVHSw5D353NrZ3hapvUthA6
BoArm9XxRlwzgu8JwXpEAc9FXRg3jUcwMrSYc5yZF4mw95+sfdHKVhoI6LuxBkYd
dA0aqbB/QkuFSanDZ+Z634LCkfbk/2Eo3HgjsrPUdvg2z2zLwfk=
=53iD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.