Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20240307224501.c7jr2xfefbgo2olv@yuggoth.org>
Date: Thu, 7 Mar 2024 22:45:01 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: OSSN-0093: Unresolved Vulnerability in OpenStack Murano

OSSN-0093
Unresolved Vulnerability in OpenStack Murano

### Summary ###
A severe security vulnerability in all versions of the Murano
service will be disclosed at a later date. Murano is an inactive
project[*], so no fix is currently under development for this
vulnerability. It is strongly recommended that any OpenStack
deployments disable or fully remove Murano, if installed, at the
earliest opportunity. This security note will be amended at the time
of public disclosure to include further details and context, but
action should be taken as soon as possible in order to minimize the
risk it poses.

[*] https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects

### Affected Services / Software ###
- murano: all versions

### Discussion ###
This security note is a redacted placeholder, and will be amended
with complete details once the associated bug report becomes public.

### Recommended Actions ###
Disable the Murano service in, or fully remove it from, all
OpenStack deployments at the earliest opportunity.

### Credits ###
Not yet disclosed.

### Contacts / References ###
Authors:
- Jeremy Stanley, OpenStack Vulnerability Coordinator

This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0093

Original bug: https://launchpad.net/bugs/2048114 (not yet public)

Mailing List : [security-sig] openstack-discuss@...ts.openstack.org

-- 
Jeremy Stanley, OpenStack Vulnerability Coordinator

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.