[PKG-Openstack-devel] Bug#796108: CVE-2015-5694 CVE-2015-5695
Kiall Mac Innes
kiall at macinnes.ie
Wed Aug 19 14:41:29 UTC 2015
Reworked patch, minus the tests.
The OpenStack/Designate project during icehouse did not cap
requirements, causing the unit tests to fail to run.
I would recommend ensuring the tests pass given the set of dependencies
in Jessie before applying and pushing.
Thanks,
Kiall
On 19/08/15 09:36, Kiall Mac Innes wrote:
> Hey - Upstream Designate maintainer here.
>
> Icehouse - aka 2014.1 - is partially affected by CVE-2015-5695,
> failure to enforce recordset quotas.
>
> This was the less severe of the two CVEs, which we treated as a
> feature not implemented rather than a security issue initially.
> Additionally, the issue could only be exploited through the disabled
> by default + marked experimental V2 API.
>
> Regardless - The patch at [1] should be easy enough to re-work for
> Icehouse.
>
> Thanks,
> Kiall
>
> [1]:
> https://launchpadlibrarian.net/211525408/bug-1471161-quotas-kilo.patch
>
> On 19/08/15 09:11, Moritz Muehlenhoff wrote:
>> Source: designate
>> Severity: grave
>> Tags: security
>>
>> Hi,
>> please see the thread starting here:
>> https://marc.info/?l=oss-security&m=143810184926097&w=2
>>
>> Can you please check with upstream whether 2014.1 from jessie
>> is affected, if so we should fix it.
>>
>> Cheers,
>> Moritz
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20150819/33fbb4fa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Ensure-RecordSet-quotas-are-enforced.patch
Type: text/x-patch
Size: 1885 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20150819/33fbb4fa/attachment.bin>
More information about the Openstack-devel
mailing list