kolla-ansible

default apache limitrequestbody dropped

  1. Series zed
  2. Bug #2012588
Bug #2012588 reported by Kendrick Luong
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Maksim Malchuk
Xena
Fix Released
Medium
Maksim Malchuk
Yoga
Fix Released
Medium
Maksim Malchuk
Zed
Fix Released
Medium
Maksim Malchuk

Bug Description

Apache LimitRequestBody has been reduced to 1GB https://access.redhat.com/articles/6975397

Large images cant be uploaded by default, this value should be a parameter in globals.yml if possible

CVE References

Maksim Malchuk (mmalchuk)
Changed in kolla-ansible:
status: New → Confirmed
assignee: nobody → Maksim Malchuk (mmalchuk)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/878416

Changed in kolla-ansible:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/879320

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/879321

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/879322

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/878416
Committed: https://opendev.org/openstack/kolla-ansible/commit/d907790fffaf392f40ac5e6d824e72995c1f612c
Submitter: "Zuul (22348)"
Branch: master

commit d907790fffaf392f40ac5e6d824e72995c1f612c
Author: Maksim Malchuk <email address hidden>
Date: Thu Mar 23 16:49:45 2023 +0300

    Add LimitRequestBody configuration for Horizon

    Since CVE-2022-29404 is fixed [1,2] the default value for the
    LimitRequestBody directive in the Apache HTTP Server has been changed
    from 0 (unlimited) to 1 GiB. This limits the size of images (for
    example) uploaded in Horizon. This change add the ability to
    configure the limit.

    1. https://access.redhat.com/articles/6975397
    2. https://ubuntu.com/security/CVE-2022-29404

    Closes-Bug: #2012588
    Change-Id: I4cd9dd088cbcf38ff6f8d188ebcc56be7d9ea1c9
    Signed-off-by: Maksim Malchuk <email address hidden>

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/879321
Committed: https://opendev.org/openstack/kolla-ansible/commit/17fb4050650da952858fcade902d055c09c66903
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 17fb4050650da952858fcade902d055c09c66903
Author: Maksim Malchuk <email address hidden>
Date: Thu Mar 23 16:49:45 2023 +0300

    Add LimitRequestBody configuration for Horizon

    Since CVE-2022-29404 is fixed [1,2] the default value for the
    LimitRequestBody directive in the Apache HTTP Server has been changed
    from 0 (unlimited) to 1 GiB. This limits the size of images (for
    example) uploaded in Horizon. This change add the ability to
    configure the limit.

    1. https://access.redhat.com/articles/6975397
    2. https://ubuntu.com/security/CVE-2022-29404

    Closes-Bug: #2012588
    Change-Id: I4cd9dd088cbcf38ff6f8d188ebcc56be7d9ea1c9
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit d907790fffaf392f40ac5e6d824e72995c1f612c)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/879322
Committed: https://opendev.org/openstack/kolla-ansible/commit/fd73e0ecd3a856e923cbde54e2930eb8c947fa5d
Submitter: "Zuul (22348)"
Branch: stable/xena

commit fd73e0ecd3a856e923cbde54e2930eb8c947fa5d
Author: Maksim Malchuk <email address hidden>
Date: Thu Mar 23 16:49:45 2023 +0300

    Add LimitRequestBody configuration for Horizon

    Since CVE-2022-29404 is fixed [1,2] the default value for the
    LimitRequestBody directive in the Apache HTTP Server has been changed
    from 0 (unlimited) to 1 GiB. This limits the size of images (for
    example) uploaded in Horizon. This change add the ability to
    configure the limit.

    1. https://access.redhat.com/articles/6975397
    2. https://ubuntu.com/security/CVE-2022-29404

    Closes-Bug: #2012588
    Change-Id: I4cd9dd088cbcf38ff6f8d188ebcc56be7d9ea1c9
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit d907790fffaf392f40ac5e6d824e72995c1f612c)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/879320
Committed: https://opendev.org/openstack/kolla-ansible/commit/dceb3a5a53ba548b45009590a4db924d909be3b1
Submitter: "Zuul (22348)"
Branch: stable/zed

commit dceb3a5a53ba548b45009590a4db924d909be3b1
Author: Maksim Malchuk <email address hidden>
Date: Thu Mar 23 16:49:45 2023 +0300

    Add LimitRequestBody configuration for Horizon

    Since CVE-2022-29404 is fixed [1,2] the default value for the
    LimitRequestBody directive in the Apache HTTP Server has been changed
    from 0 (unlimited) to 1 GiB. This limits the size of images (for
    example) uploaded in Horizon. This change add the ability to
    configure the limit.

    1. https://access.redhat.com/articles/6975397
    2. https://ubuntu.com/security/CVE-2022-29404

    Closes-Bug: #2012588
    Change-Id: I4cd9dd088cbcf38ff6f8d188ebcc56be7d9ea1c9
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit d907790fffaf392f40ac5e6d824e72995c1f612c)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 13.9.0

This issue was fixed in the openstack/kolla-ansible 13.9.0 release.

Maksim Malchuk (mmalchuk)
Changed in kolla-ansible:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 16.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 16.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 14.9.0

This issue was fixed in the openstack/kolla-ansible 14.9.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 15.2.0

This issue was fixed in the openstack/kolla-ansible 15.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.