ubuntu-security-announce Digest, Vol 119, Issue 14

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-2311-2] OpenStack Ceilometer vulnerability (Jamie Strandboge)
2. [USN-2321-1] OpenStack Neutron vulnerabilities (Jamie Strandboge)
3. [USN-2322-1] OpenStack Glance vulnerability (Jamie Strandboge)
4. [USN-2323-1] OpenStack Horizon vulnerabilities (Jamie Strandboge)
5. [USN-2324-1] OpenStack Keystone vulnerabilities (Jamie Strandboge)
6. [USN-2325-1] OpenStack Nova vulnerability (Jamie Strandboge)


----------------------------------------------------------------------

Message: 1
Date: Thu, 21 Aug 2014 15:03:21 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2311-2] OpenStack Ceilometer vulnerability
Message-ID: <53F65089.7050305@canonical.com>
Content-Type: text/plain; charset="utf-8"


==========================================================================
Ubuntu Security Notice USN-2311-2
August 21, 2014

ceilometer vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

OpenStack Ceilometer could be made to expose sensitive information.

Software Description:
- ceilometer: OpenStack Telemetry service

Details:

USN-2311-1 fixed vulnerabilities in pyCADF. This update provides the
corresponding updates for OpenStack Ceilometer.

Original advisory details:

Zhi Kun Liu discovered that pyCADF incorrectly filtered certain tokens.
An attacker could possibly use this issue to obtain authentication tokens
used in REST requests.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
ceilometer-common 2014.1.2-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2311-2
http://www.ubuntu.com/usn/usn-2311-1
CVE-2014-4615

Package Information:
https://launchpad.net/ubuntu/+source/ceilometer/2014.1.2-0ubuntu1.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140821/d6619224/attachment-0001.pgp>

------------------------------

Message: 2
Date: Thu, 21 Aug 2014 15:20:09 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2321-1] OpenStack Neutron vulnerabilities
Message-ID: <53F65479.1070801@canonical.com>
Content-Type: text/plain; charset="utf-8"


==========================================================================
Ubuntu Security Notice USN-2321-1
August 21, 2014

neutron vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

OpenStack Neutron could be made to expose sensitive information or crash.

Software Description:
- neutron: OpenStack Virtual Network Service

Details:

Liping Mao discovered that OpenStack Neutron did not properly handle
requests for a large number of allowed address pairs. A remote
authenticated attacker could exploit this to cause a denial of service.
(CVE-2014-3555)

Zhi Kun Liu discovered that OpenStack Neutron incorrectly filtered certain
tokens. An attacker could possibly use this issue to obtain authentication
tokens used in REST requests. (CVE-2014-4615)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
neutron-common 1:2014.1.2-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2321-1
CVE-2014-3555, CVE-2014-4615

Package Information:
https://launchpad.net/ubuntu/+source/neutron/1:2014.1.2-0ubuntu1.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140821/10ee5c54/attachment-0001.pgp>

------------------------------

Message: 3
Date: Thu, 21 Aug 2014 15:31:44 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2322-1] OpenStack Glance vulnerability
Message-ID: <53F65730.1040404@canonical.com>
Content-Type: text/plain; charset="utf-8"


==========================================================================
Ubuntu Security Notice USN-2322-1
August 21, 2014

glance vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

OpenStack Glance could be made to stop serving requests.

Software Description:
- glance: OpenStack Image Registry and Delivery Service

Details:

Thomas Leaman and Stuart McLaren discovered that OpenStack Glance did not
properly honor the image_size_cap configuration option. A remote
authenticated attacker could exploit this to cause a denial of service via
disk consumption.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
glance-common 1:2014.1.2-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2322-1
CVE-2014-5356

Package Information:
https://launchpad.net/ubuntu/+source/glance/1:2014.1.2-0ubuntu1.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140821/c738c41c/attachment-0001.pgp>

------------------------------

Message: 4
Date: Thu, 21 Aug 2014 15:53:45 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2323-1] OpenStack Horizon vulnerabilities
Message-ID: <53F65C59.4070603@canonical.com>
Content-Type: text/plain; charset="utf-8"


==========================================================================
Ubuntu Security Notice USN-2323-1
August 21, 2014

horizon vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenStack Horizon.

Software Description:
- horizon: Web interface for OpenStack cloud infrastructure

Details:

Jason Hullinger discovered that OpenStack Horizon did not properly perform
input sanitization on Heat templates. If a user were tricked into using a
specially crafted Heat template, an attacker could conduct cross-site
scripting attacks. With cross-site scripting vulnerabilities, if a user
were tricked into viewing server output during a crafted server request, a
remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2014-3473)

Craig Lorentzen discovered that OpenStack Horizon did not properly perform
input sanitization when creating networks. If a user were tricked into
launching an image using the crafted network name, an attacker could
conduct cross-site scripting attacks. (CVE-2014-3474)

Michael Xin discovered that OpenStack Horizon did not properly perform
input sanitization when adding users. If an admin user were tricked into
viewing the users page containing a crafted email address, an attacker
could conduct cross-site scripting attacks. (CVE-2014-3475)

Dennis Felsch and Mario Heiderich discovered that OpenStack Horizon did not
properly perform input sanitization when creating host aggregates. If an
admin user were tricked into viewing the Host Aggregates page containing a
crafted availability zone name, an attacker could conduct cross-site
scripting attacks. (CVE-2014-3594)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
openstack-dashboard 1:2014.1.2-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2323-1
CVE-2014-3473, CVE-2014-3474, CVE-2014-3475, CVE-2014-3594

Package Information:
https://launchpad.net/ubuntu/+source/horizon/1:2014.1.2-0ubuntu1.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140821/7b608be0/attachment-0001.pgp>

------------------------------

Message: 5
Date: Thu, 21 Aug 2014 16:11:25 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2324-1] OpenStack Keystone vulnerabilities
Message-ID: <53F6607D.8000209@canonical.com>
Content-Type: text/plain; charset="utf-8"


==========================================================================
Ubuntu Security Notice USN-2324-1
August 21, 2014

keystone vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenStack Keystone.

Software Description:
- keystone: OpenStack identity service

Details:

Steven Hardy discovered that OpenStack Keystone did not properly handle
chained delegation. A remove authenticated attacker could use this to
gain privileges by creating a new token with additional roles.
(CVE-2014-3476)

Jamie Lennox discovered that OpenStack Keystone did not properly validate
the project id. A remote authenticated attacker may be able to use this to
access other projects. (CVE-2014-3520)

Brant Knudson and Lance Bragstad discovered that OpenStack Keystone would
not always revoke tokens correctly. If Keystone were configured to use
revocation events, a remote authenticated attacker could continue to have
access to resources. (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
python-keystone 1:2014.1.2.1-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2324-1
CVE-2014-3476, CVE-2014-3520, CVE-2014-5251, CVE-2014-5252,
CVE-2014-5253

Package Information:
https://launchpad.net/ubuntu/+source/keystone/1:2014.1.2.1-0ubuntu1.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140821/c8491c9b/attachment-0001.pgp>

------------------------------

Message: 6
Date: Thu, 21 Aug 2014 16:22:10 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2325-1] OpenStack Nova vulnerability
Message-ID: <53F66302.2090104@canonical.com>
Content-Type: text/plain; charset="utf-8"


==========================================================================
Ubuntu Security Notice USN-2325-1
August 21, 2014

nova vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

OpenStack Nova could be made to expose sensitive information over the
network.

Software Description:
- nova: OpenStack Compute cloud infrastructure

Details:

Alex Gaynor discovered that OpenStack Nova would sometimes respond with
variable times when comparing authentication tokens. If nova were
configured to proxy metadata requests via Neutron, a remote authenticated
attacker could exploit this to conduct timing attacks and ascertain
configuration details of another instance.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
python-nova 1:2014.1.2-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2325-1
CVE-2014-3517

Package Information:
https://launchpad.net/ubuntu/+source/nova/1:2014.1.2-0ubuntu1.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140821/0d7619b2/attachment.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 119, Issue 14
*********************************************************