Ubuntu
nova package

[Precise] nova is vulnerable to CVE-2012-1585

Bug #968411 reported by Tyler Hicks
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nova (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Nova is vulnerable to storage resource exhaustion via the Nova API log file. Invalid requests can be made, using extremely long server names, which result in the log file growing considerably large.

I've addressed this issue in Oneiric and Natty, but need a sponsor for Precise. Debdiff to soon follow.

Related branches

lp:~openstack-ubuntu-testing/nova/precise-essex-proposed
Chuck Short: Pending requested
Diff: 56 lines (+14/-4)
3 files modified
debian/changelog (+8/-0)
debian/control (+6/-3)
debian/nova-console.install (+0/-1)
lp:ubuntu/precise/nova
lp:~openstack-ubuntu-testing/nova/raring-grizzly

CVE References

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Debdif against 2012.1~rc1-0ubuntu2. Tested using the in-tree test suite. The new tests, added by the patch in the debdiff, successfully pass.

visibility: private → public
Revision history for this message
Micah Gersten (micahg) wrote :

unsubscribing -sponsors since this has been merged in

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2012.1~rc2-0ubuntu1

---------------
nova (2012.1~rc2-0ubuntu1) precise; urgency=low

  [ Adam Gandelman ]
  * debian/control: Remove unncessary nova-cert dependency from nova-api.
    (LP: #965356)
  * debian/nova-common.postinst: Clean up spacing, remove redundant chown,
    set blanket 0700 nova.nova permissions on /etc/nova/
  * debian/nova-compute-{kvm, lxc, uml, xen}.postinst: Set proper permissions
    on /etc/nova/nova-compute.conf (LP: #861459)
  * debian/nova-common.postinst: Ensure default nova.sqlite database is not
    world-readable.
  * debian/{rules, nova-common.{install, postinst}}: Install api-paste.ini 0600
    with nova-common (in prepartion for proper nova-api-* package separation)
  * debian/{nova-common.nova-manage.logrotate,
    nova-network.nova-dhcpbridge.logrotate, rules}: Add lograte files,
    override_dh_installlogrotate. (LP: #942646)
  * Add manpage stubs for nova-api-ec2, nova-api-metadata,
    nova-api-os-{volume, compute}, nova-rootwrap. Use sphinx built manpage
    for nova-manage (nova-common.manpages)
  * debian/nova-compute-{kvm, xen, uml, qemu}.postinst: Remove calls to
    adduser since this is already handled from nova-compute.postsinst in a
    vendor neutral way. Silences lintian errors regarding adduser dependency

  [ Chuck Short ]
  * New upstream version.
  * debian/patches/libvirt-use-console-pipe.patch: Dropped.
  * debian/patches/nova-console-monitor.patch: Add console-monitor
    option.
  * debian/nova.conf: Enable use_console_monitor
  * debian/patches/fix-ubuntu-tests.patch: Fix nova testsuite.
  * debian/rules: fail package build if testsuite fails.
  * debian/patches/validate_server_name_length.patch: Dropped no longer
    needed.
  * debian/patches/fix-docs-build-without-network.patch: Some docs need
    a network connection in order to build. Disable fetching docs from
    the internet.
  * debian/patches/0001-fix-useexisting-deprecation-warnings.patch:
    Remove deprecated warnings with sqlalchemy.

  [ Tyler Hicks ]
  * SECURITY UPDATE: Denial of service via resource exhaustion in nova-api
    (LP: #968411)
    - debian/patches/validate_server_name_length.patch: Limit server names
      to a maximum of 255 characters to prevent nova-api log files from
      exhausting storage space. Based on upstream patch.
    - CVE-2012-1585
 -- Chuck Short <email address hidden> Mon, 02 Apr 2012 11:17:33 -0400

Changed in nova (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.