An error occurred while fuel plugin removing with plugin multiversioning
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Committed
|
High
|
Ilya Kutukov | ||
Mitaka |
Fix Released
|
High
|
Ilya Kutukov |
Bug Description
Detailed bug description:
Fuel allows you to install plugins have the same version but different versions of the packages (for example: http://
Steps to reproduce:
1. Create a new fuel plugin with version=1.0.0 and package_
2. Create a new fuel plugin with version=1.0.0 and package_
3. Upload to master node and install it.
4. Remove one of this plugins.
Expected results:
Successfully removing one (or all) of this plugins.
Actual result:
Plugins are not removed and an error message is caused by: http://
Reproducibility:
On all fuel enviroments.
Workaround:
Remove rpm package from system and mirrors. Remove record allocated with plugin from database.
Impact:
This is a serious bug containing a potential vulnerability through which an attacker can get partial information from the database.
Description of the environment:
Operation system: Linux fuel.domain.tld 3.10.0-
Versions of components: 9.0
Shotgun2 report: http://
Reference architecture: -
Network model: -
Related projects installed: fuel-plugins, nailgun
Additional information:
It is very unsafe to show such detailed error messages, probably necessary implement debug mode which will display a detailed error reports.
Changed in fuel: | |
importance: | Undecided → Critical |
description: | updated |
Changed in fuel: | |
milestone: | none → 9.0 |
summary: |
- An error occurred while fuel plugin removing + An error occurred while fuel plugin removing with plugin multiversioning |
Changed in fuel: | |
assignee: | Fuel Python Team (fuel-python) → Ilya Kutukov (ikutukov) |
Changed in fuel: | |
status: | Confirmed → In Progress |
tags: | added: on-verification |
I don't see how this bug can be exploited by anyone who cannot get root access without this hack. Removing the 'private security' tag.