OpenStack-Ansible

Qemu version pin vulnerable to VENOM

Bug #1454677 reported by Christopher H. Laco on 2015-05-13

264

This bug affects 2 people

	Status	Importance	Assigned to
OpenStack-Ansible	Invalid	Critical	Unassigned
Icehouse	Won't Fix	Critical	Unassigned
Juno	Won't Fix	Critical	Unassigned

Bug Description

With the public disclosure of CVE-2015-3456, the version of qemu will need to be bumped in Juno/Icehouse once the updated package is released upstream. The currently pinned version is qemu: 2.0.0+dfsg-2ubuntu1.2

Further information can be found:

http://venom.crowdstrike.com/
http://seclists.org/oss-sec/2015/q2/421
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
https://rhn.redhat.com/errata/RHSA-2015-0998.html
http://www.darkreading.com/cloud/venom-zero-day-may-affect-thousands-of-cloud-virtualization-products/d/d-id/1320389
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3456.html
http://lists.openstack.org/pipermail/openstack-operators/2015-May/006945.html

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/VENOM

See original description

Tags:

CVE References

2015-3456

Christopher H. Laco (claco) on 2015-05-13

tags:

added: icehouse-backport-potential impacts-doc juno-backport-potential

Christopher H. Laco (claco) on 2015-05-13

description:	updated
description:	updated

Revision history for this message

Kevin Carter (kevin-carter) wrote on 2015-05-13:

While the issue of the qemu package effects all of Ubuntu 14.04 the issue due to package pinning does not effect trunk and kilo as such trunk has been marked as invalid.

no longer affects:	openstack-ansible/trunk
Changed in openstack-ansible:
status:	New → Invalid

Christopher H. Laco (claco) on 2015-05-13

description:

updated

Christopher H. Laco (claco) on 2015-05-13

description:

updated

Christopher H. Laco (claco) on 2015-05-13

description:

updated

Revision history for this message

George Shuklin (george-shuklin) wrote on 2015-05-15:

Can someone explain how it can affect openstack installation? I don't see any 'virtual floppy' device inside guest machines.

Revision history for this message

Ian Cordasco (icordasc) wrote on 2015-05-16:

George, please see the discussion on the openstack-operators mailing list: http://lists.openstack.org/pipermail/openstack-operators/2015-May/006945.html

Revision history for this message

Jimmy McCrory (jimmy-mccrory) wrote on 2015-06-02:

Does this only apply to the script creating a frozen RPC repo?
https://raw.githubusercontent.com/stackforge/os-ansible-deployment/juno/scripts/elsa_repo_config.yml

Revision history for this message

Christopher H. Laco (claco) wrote on 2015-06-08:

Jimmy, I filed this as it happened so people would at least dig in further. I very well may be the case now that this barely effects anything, except as you've noticed, the repo config file you have linked to.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.