an update: patches have been refreshed for this bug, and attached here.
I reached out to Jeremy, and he agreed to take a look at this embargo disclosure notice before I post it to <email address hidden> and <email address hidden>. Thank you! Please let me know if i can change anything. Next steps, after the draft message:
Subject: [pre-OSSA] Vulnerability in OpenStack Manila (CVE-2020-9543)
This is an advance warning of a vulnerability discovered in
OpenStack Manila, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
OpenStack Manila <= 9.1.0 allows other project users to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date.
CVE: CVE-2020-9543
Proposed public disclosure date/time:
2020-03-09, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report: https://bugs.launchpad.net/manila/+bug/1861485
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
--
Goutham Pacha Ravi
Project Team Lead, OpenStack Manila
* On public disclosure (2020-03-09, 1500 UTC) - I'll switch this bug to public, and coordinate with mnaser to upload the patches to review.opendev.org.
* Tom and I will review/fast track approvals with the help of other cores
* Once patches have merged, I'll request a release from train, stein and rocky branches. (The patches for queens and pike have only been provided for courtesy - we will not perform a release on those branches).
* Simultaneously, I'll coordinate with the VMT team to publish an OSSA to <email address hidden> and <email address hidden>.
Hello,
an update: patches have been refreshed for this bug, and attached here.
I reached out to Jeremy, and he agreed to take a look at this embargo disclosure notice before I post it to <email address hidden> and <email address hidden>. Thank you! Please let me know if i can change anything. Next steps, after the draft message:
``````` ``````` ``````` ``````` ``````` ``````` ``````` ``````` ``````` ``````` ``````` ```````
Subject: [pre-OSSA] Vulnerability in OpenStack Manila (CVE-2020-9543)
This is an advance warning of a vulnerability discovered in
OpenStack Manila, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
OpenStack Manila <= 9.1.0 allows other project users to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date.
CVE: CVE-2020-9543
Proposed public disclosure date/time:
2020-03-09, 1500UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report: /bugs.launchpad .net/manila/ +bug/1861485
https:/
For access to read and comment on this report, please reply to me
with your Launchpad username and I will subscribe you.
--
Goutham Pacha Ravi
Project Team Lead, OpenStack Manila
Attachments: 9543-master- ussuri. patch 9543-stable- train.patch 9543-stable- stein.patch 9543-stable- rocky.patch 9543-stable- queens. patch 9543-stable- pike.patch
cve-2020-
cve-2020-
cve-2020-
cve-2020-
cve-2020-
cve-2020-
``````` ``````` ``````` ``````` ``````` ``````` ``````` ``````` ``````` ``````` ``````` ```````
Next Steps:
* On public disclosure (2020-03-09, 1500 UTC) - I'll switch this bug to public, and coordinate with mnaser to upload the patches to review.opendev.org.
* Tom and I will review/fast track approvals with the help of other cores
* Once patches have merged, I'll request a release from train, stein and rocky branches. (The patches for queens and pike have only been provided for courtesy - we will not perform a release on those branches).
* Simultaneously, I'll coordinate with the VMT team to publish an OSSA to <email address hidden> and <email address hidden>.