[RHSA-2018:2332-01] Moderate: openstack-nova security, bug fix, and enhancement update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Mon Aug 20 12:57:03 UTC 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: openstack-nova security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:2332-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2332
Issue date:        2018-08-20
CVE Names:         CVE-2017-18191 
=====================================================================

1. Summary:

An update for openstack-nova is now available for Red Hat OpenStack
Platform 12.0 (Pike).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 12.0 - noarch

3. Description:

OpenStack Compute (nova) launches and schedules large networks of virtual
machines, creating a redundant and scalable cloud computing platform.
Compute provides the software, control panels, and APIs required to
orchestrate a cloud, including running virtual machine instances and
controlling access through users and projects.

The following packages have been upgraded to a later upstream version:
openstack-nova (16.1.4). (BZ#1591212)

Security Fix(es):

* openstack-nova: Swapping encrypted volumes can allow an attacker to
corrupt the LUKS header causing a denial of service in the host
(CVE-2017-18191)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

For more information about the bug fixes and enhancements included with
this update, see the "Technical Notes" section of the Release Notes 
linked in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1516271 - [RHOS-12.0.z] Add RPM deps to require install of qemu-kvm-rhev, not qemu-kvm-rhel
1537047 - Bug in log output in hardware.py "Not enough available memory to schedule instance" prints full memory instead of available memory
1539703 - By rebuilding twice with the same "forbidden" image one can circumvent scheduler rebuild restrictions
1546937 - CVE-2017-18191 openstack-nova: Swapping encrypted volumes can allow an attacker to corrupt the LUKS header causing a denial of service in the host
1547578 - Nova assumes that a volume is fully detached from the compute if the volume is not defined in the instance's libvirt definition
1556851 - Instance hard reboots fail due to a TimeoutException being thrown waiting for vif-plugged events from Neutron
1557938 - [BACKPORT Request] Nova returns a traceback when it's unable to detach a volume still in use
1558706 - [OSP 12] nova get-password returns blank line
1569955 - preallocate_images = space is not honoured when using qcow2
1570314 - When creating a stack with not enough resource, volumes remain in attaching
1572836 - nova-compute should log messages about stale resource allocations at warning priority
1573799 - Fix setting tx_queue_size when rx_queue_size is not set
1575985 - Duplicate imports of oslo_config types
1579785 - On split-stack setups, left over node information prevents a node from rejoin the cloud
1590514 - Rebase openstack-nova to aa7714c
1591212 - Rebase openstack-nova to 16.1.4
1591296 - [RHOS-12][rebase] Lift the restriction on choices for `cpu_model_extra_flags` config attribute

6. Package List:

Red Hat OpenStack Platform 12.0:

Source:
openstack-nova-16.1.4-6.el7ost.src.rpm

noarch:
openstack-nova-16.1.4-6.el7ost.noarch.rpm
openstack-nova-api-16.1.4-6.el7ost.noarch.rpm
openstack-nova-cells-16.1.4-6.el7ost.noarch.rpm
openstack-nova-common-16.1.4-6.el7ost.noarch.rpm
openstack-nova-compute-16.1.4-6.el7ost.noarch.rpm
openstack-nova-conductor-16.1.4-6.el7ost.noarch.rpm
openstack-nova-console-16.1.4-6.el7ost.noarch.rpm
openstack-nova-migration-16.1.4-6.el7ost.noarch.rpm
openstack-nova-network-16.1.4-6.el7ost.noarch.rpm
openstack-nova-novncproxy-16.1.4-6.el7ost.noarch.rpm
openstack-nova-placement-api-16.1.4-6.el7ost.noarch.rpm
openstack-nova-scheduler-16.1.4-6.el7ost.noarch.rpm
openstack-nova-serialproxy-16.1.4-6.el7ost.noarch.rpm
openstack-nova-spicehtml5proxy-16.1.4-6.el7ost.noarch.rpm
python-nova-16.1.4-6.el7ost.noarch.rpm
python-nova-tests-16.1.4-6.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-18191
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/release_notes/

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW3q6ntzjgjWX9erEAQijWg//cXtsrbGKFi/TZ7QQGLaYdD7keVNnNtfo
RoZvFtMZxJFYXPWvd0thq5ma2+LwjkC5SeEfxPzSI6soCgFnwVmnO1W6SacOToFz
EsEg5GTPi85qIpvoEH8BNg7L5wLIh3FPnkVlCaRlG6p6yzGoOu4v72CYq1Zuws9e
5qlh7O/aKUCyJOkk7sgAp3nnUzXzzc0yRIeTxW4C1xuS2OjuMCCJKH1mlLcnA4Tm
Dh5LSKuYkZpC5SO+V1wPrR4ubuPXNr7hjldRcpQzjowP95nHYBfYzu41OrphAaAZ
Q2BmzVdqT/8TGpU8aRCZmxY4SE/14jDaXhYKhbrLys3+WDsXMXmxBUvwRXFF35wt
tVsQr+rmSI9IBLnvxKA2LraCnvWNg/NZKKZPqBvSrxVkrvaymbpZrvo7KqAaREpk
A2Xr/bfCvD+Dhl8C01z3PsXhDafj6zIBwffjzJbDVlzxoq39mjxy0JZrkKHpJdZ4
bSL/cZ3+ldSwDkgYye5tMMUocY8l6mliGJA7/uVCjeOeMjSD++FlPH+zXAS21LOV
S5DyN+PPIYke8XZPpiu6ZMEHFVSZRc/XN27UJfaKnIB77PFewgUo/rNFTiGkE33A
7FwKtCcz3VIJXkspea93wtAzGawmrNU9Cx4slfm7boOVrtjSIOjC6WtBH+F6a9z3
l3UQ8NJTGss=
=LF1S
-----END PGP SIGNATURE-----




More information about the RHSA-announce mailing list