Mirantis OpenStack

OpenSSL DROWN vulnerability and related CVEs

Bug #1552662 reported by Adam Heczko on 2016-03-03

262

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mirantis OpenStack	Fix Released	High	Denis Puchkin	Mirantis OpenStack 8.0-updates
	5.1.x	Won't Fix	High	Denis Puchkin	Mirantis OpenStack 5.1.1-updates
	6.0.x	Won't Fix	High	Denis Puchkin	Mirantis OpenStack 6.0-updates
	6.1.x	Fix Released	High	Denis Puchkin	Mirantis OpenStack 6.1-mu-7
	7.0.x	Fix Released	High	Denis Puchkin	Mirantis OpenStack 7.0-mu-4
	8.0.x	Fix Released	High	Denis Puchkin	Mirantis OpenStack 8.0-mu-2
	9.x	Invalid	High	MOS Linux	Mirantis OpenStack 9.0

Bug Description

Problem description:
OpenSSL package shipped with MOS have multiple security vulnerabilities.
These packages are coming from upstream Linux distributions and we should provide information + mechanism how to apply patches from upstream.

Upstream information:
https://access.redhat.com/security/vulnerabilities/drown
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0800.html
http://www.ubuntu.com/usn/usn-2914-1/

Solution proposal:
Proposal is described in this Google sheet:
https://docs.google.com/spreadsheets/d/1Sbh99pGwAjTcMdbRP2A6CtFI6fHvA7Ao4JG-5-lgty4/edit#gid=0

Tags:

Adam Heczko (aheczko-mirantis) on 2016-03-03

Changed in mos:
assignee:	nobody → MOS Maintenance (mos-maintenance)

Revision history for this message

Dmitry Teselkin (teselkin-d) wrote on 2016-03-04:

#1

Tarballs for CentOS-6, Ubuntu-12.04 with updated packages http://172.18.10.67/drown/

Revision history for this message

Dmitry Teselkin (teselkin-d) wrote on 2016-03-10:

#2

9.0 is based on CentOS-7.2 where this bug was fixed.

Revision history for this message

Dmitry Teselkin (teselkin-d) wrote on 2016-03-10:

#3

Packages for 8.0 http://172.18.10.67/RHSA-2016_0301-c7x64.tar.gz

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2016-06-01:

#4

Fix Committed for 7.0-updates as the packages are in http://pkg-updates.fuel-infra.org/centos6/

Adam Heczko (aheczko-mirantis) on 2016-06-21

tags:

added: feature-security

Revision history for this message

Denis Puchkin (dpuchkin) wrote on 2016-06-29:

#5

Fix Committed for 8.0-updates as the packages are in http://pkg-updates.fuel-infra.org/centos7/

Vitaly Sedelnik (vsedelnik) on 2016-07-19

information type:

Private Security → Public Security

Revision history for this message

Denis Puchkin (dpuchkin) wrote on 2016-07-20:

#6

Fix Committed for 6.1-updates as the packages are in http://pkg-updates.fuel-infra.org/centos6

Revision history for this message

Alexey Stupnikov (astupnikov) wrote on 2017-05-29:

#7

MOS5.1 and MOS6.0 are no longer supported, moving to Won't Fix.

Changed in mos:
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.