Mirantis OpenStack

CVEs related to bugs in Mirantis OpenStack

Open bugs

Bug	CVE(s)
Bug #1340038: Linux ptrace bug (CVE-2014-4699)	CVE-2014-4699
Mirantis OpenStack	Fix committed by Alexei Sheplyakov
Bug #1373965: bash: specially-crafted environment variables can be used to inject shell commands	CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
Mirantis OpenStack	Fix committed by Pavel Boldin
Bug #1391938: Neutron DoS through invalid DNS configuration (CVE-2014-7821)	CVE-2014-7821
Mirantis OpenStack	Fix committed by Alexander Ignatov
Bug #1398893: Backport upstream security fix for login page DOS-attack vulnerability (CVE-2014-8124)	CVE-2014-8124
Mirantis OpenStack	Fix committed by Timur Sufiev
Bug #1410811: radvd >= 2.0 blocks router update processing	CVE-2014-8153
Mirantis OpenStack	Fix committed by Alexander Ignatov
Bug #1489958: (CVE-2015-5240) Neutron firewall rules bypass through port update	CVE-2015-5240
Mirantis OpenStack	Fix committed by Alexander Ignatov
Bug #1531938: [OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548)	CVE-2015-7548
Mirantis OpenStack	New, assigned to MOS Nova
Bug #1572600: [OSSA 2016-007] Host data leak during resize/migrate for raw-backed instances (CVE-2016-2140)	CVE-2016-2140
Mirantis OpenStack	Confirmed, assigned to MOS Maintenance
Bug #1599545: Ceph monitor crash	CVE-2016-5009
Mirantis OpenStack	Confirmed, assigned to MOS Ceph
Bug #1667226: CatchErrors leaks sensitive values in oslo.middleware [OSSA-2017-001], [CVE-2017-2592]	CVE-2017-2592
Mirantis OpenStack	Confirmed, assigned to MOS Maintenance

Resolved bugs

Bug	CVE(s)
Bug #1403102: Glance allows users to download and delete any file in glance-api server	CVE-2014-9493
Mirantis OpenStack	Fix released, assigned to Alexander Tivelkov
Bug #1414685: [Glance] Glance user storage quota bypass #1	CVE-2014-9623
Mirantis OpenStack	Invalid by Mike Fedosin
Bug #1420273: Nova console Cross-Site WebSocket hijacking	CVE-2015-0259
Mirantis OpenStack	Fix released, assigned to Roman Podoliaka
Bug #1425171: Upgrade OpenSSL packages	CVE-2010-5298 CVE-2014-0076 CVE-2014-0195 CVE-2014-0198 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470
Mirantis OpenStack	Opinion, assigned to MOS Linux
Bug #1442041: Unauthorized delete of versioned Swift object	CVE-2015-1856
Mirantis OpenStack	Fix released, assigned to Alexey Khivin
Bug #1442579: [pre-OSSA] Vulnerability in OpenStack keystonemiddleware (CVE-2015-1852)	CVE-2015-1852
Mirantis OpenStack	Fix released, assigned to Alexander Makarov
Bug #1459628: Another Horizon login page vulnerability to a DoS attack	CVE-2015-5143
Mirantis OpenStack	Fix released, assigned to Aleksander Mogylchenko
Bug #1465333: Format-guessing and file disclosure in image convert (CVE-2015-1850)	CVE-2015-1850 CVE-2015-1851
Mirantis OpenStack	Fix released, assigned to Timur Nurlygayanov
Bug #1466077: Resize/delete combo allows to overload nova-compute (CVE-2015-3241)	CVE-2015-3241
Mirantis OpenStack	Fix released, assigned to MOS Nova
Bug #1466490: Neutron L2 agent DoS through incorrect allowed address pairs (CVE-2015-3221)	CVE-2015-3221
Mirantis OpenStack	Fix released, assigned to Alexander Ignatov
Bug #1468744: [OSSA 2015-009] Sanitation of metadata label (CVE-2015-3988)	CVE-2015-3988
Mirantis OpenStack	Fix released, assigned to Vlad Okhrimenko
Bug #1469149: [CVE-2015-3646][OSSA 2015-008] backend_argument containing a password leaked in logs	CVE-2015-3646
Mirantis OpenStack	Fix released, assigned to Alexander Makarov
Bug #1469158: Image chunks remains in store if upload is interrupted	CVE-2014-9684 CVE-2015-1881
Mirantis OpenStack	Fix released, assigned to Mike Fedosin
Bug #1481494: Session timed out notice in horizon after idle period	CVE-2014-8124
Mirantis OpenStack	Invalid by MOS Maintenance
Bug #1487450: Information leak via Swift tempurls (CVE-2015-5223)	CVE-2015-5223
Mirantis OpenStack	Fix released, assigned to Alexey Khivin
Bug #1489775: Nova may fail to delete images in resize state	CVE-2015-3280
Mirantis OpenStack	Fix released, assigned to Sergey Nikitin
Bug #1496798: User can change image status directly with v1 API	CVE-2015-5251
Mirantis OpenStack	Fix released, assigned to Mike Fedosin
Bug #1497984: [Glance] Glance user storage quota bypass #2	CVE-2015-5286
Mirantis OpenStack	Fix released, assigned to Mike Fedosin
Bug #1514467: [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)	CVE-2014-9493 CVE-2015-1195
Mirantis OpenStack	Invalid (unassigned)
Bug #1514759: Security vulnerability: update kernel packages on Ubuntu slaves (USN-2800-1 and related)	CVE-2015-5307
Mirantis OpenStack	Invalid by MOS Linux
Bug #1520185: RGW returns requested bucket name raw in "Bucket" response header	CVE-2015-5245
Mirantis OpenStack	Won't fix, assigned to Denis Meltsaykin
Bug #1526823: PKI Token Revocation Bypass (CVE-2015-7546)	CVE-2015-7546
Mirantis OpenStack	Invalid by MOS Keystone
Bug #1528826: Use of MD5 in OpenStack Glance image signature (CVE-2015-8234)	CVE-2015-8234
Mirantis OpenStack	Fix released, assigned to MOS Glance
Bug #1530927: [OSSA 2016-001] Nova host data leak through snapshot	CVE-2015-7548
Mirantis OpenStack	Fix released, assigned to MOS Nova
Bug #1533285: [OSSA 2015-021] secgroup rules doesn't work for instance immediately (CVE-2015-7713)	CVE-2015-7713
Mirantis OpenStack	Invalid by MOS Nova
Bug #1533729: Heat denial of service through template-validate	CVE-2015-5295
Mirantis OpenStack	Fix released, assigned to Sergey Kraynev
Bug #1534262: Outdated (vulnerable) libvirt package in MOS 6.0	CVE-2011-4600 CVE-2014-8136 CVE-2015-0236 CVE-2015-5247 CVE-2015-5313
Mirantis OpenStack	Fix released, assigned to Denis Meltsaykin
Bug #1539520: [pre-OSSA] Vulnerability in OpenStack Glance (CVE-2016-0757) / Glance image status manipulation through locations removal (OSSA-2016-006)	CVE-2016-0757
Mirantis OpenStack	Fix released, assigned to Kairat Kushaev
Bug #1542145: [OSSA-2016-004] Swift proxy-server DoS through Large Object (CVE-2016-0737, CVE-2016-0738)	CVE-2016-0737 CVE-2016-0738
Mirantis OpenStack	Fix released, assigned to Alexey Stupnikov
Bug #1542152: [OSSA-2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)	CVE-2015-7546
Mirantis OpenStack	Invalid by MOS Keystone
Bug #1547229: CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo	CVE-2015-7547
Mirantis OpenStack	Fix released, assigned to MOS Maintenance
Bug #1552683: Vulnerability in Nova instance resize/migration	CVE-2016-2140
Mirantis OpenStack	Invalid by Sergii Rizvan
Bug #1563753: CVE-2016-2074: MPLS buffer overflow vulnerabilities in Open vSwitch	CVE-2016-2074
Mirantis OpenStack	Fix released, assigned to Albert Syriy
Bug #1572594: [OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)	CVE-2015-8749
Mirantis OpenStack	Fix released, assigned to Alexey Stupnikov
Bug #1578370: Multiple MySQL 5.5 and 5.6 vulnerabilities	CVE-2016-0639 CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0655 CVE-2016-0661 CVE-2016-0665 CVE-2016-0666 CVE-2016-0668 CVE-2016-2047
Mirantis OpenStack	Fix released, assigned to MOS Linux
Bug #1584662: [CVE-2016-3710] Multiple Qemu security vulnerabilities	CVE-2016-3710 CVE-2016-5403
Mirantis OpenStack	Fix released, assigned to Albert Syriy
Bug #1590372: Backport the fix for Horizon CVE-2016-4428 vulnerability (OSSA-2016-010)	CVE-2016-4428
Mirantis OpenStack	Fix released, assigned to Timur Sufiev
Bug #1593002: [murano] YaqlYamlLoader inherits from YamlLoader	CVE-2016-4972
Mirantis OpenStack	Fix released, assigned to Kirill Zaitsev
Bug #1593209: Ironic Node information including credentials exposed to unauthenticated users	CVE-2016-4985
Mirantis OpenStack	Invalid by Pavlo Shchelokovskyy
Bug #1597254: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)	CVE-2015-5162
Mirantis OpenStack	Fix released, assigned to Fuel Sustaining
Bug #1615063: QEMU regression (USN-3047-2)	CVE-2016-5403
Mirantis OpenStack	Fix released, assigned to Ivan Suzdal
Bug #1636528: CVE-2016-5195 linux kernel local privilege escalation (Dirty COW)	CVE-2016-5195
Mirantis OpenStack	Fix released, assigned to MOS Linux
Bug #1679820: Django security issues, new releases 1.10.7, 1.9.13, 1.8.18	CVE-2017-7233 CVE-2017-7234
Mirantis OpenStack	Won't fix, assigned to MOS Maintenance
Bug #1680766: Incorrect role assignment with federated Keystone (CVE-2017-2673) (OSSA-2017-004)	CVE-2017-2673
Mirantis OpenStack	Won't fix, assigned to MOS Keystone
Bug #1748200: Qemu CVE-2017-5715 aka Spectre update	CVE-2017-5715
Mirantis OpenStack	Fix released, assigned to Valeriy Saharov
Bug #1800780: Provide updated MongoDB package	CVE-2016-6494
Mirantis OpenStack	Fix released, assigned to Denis Meltsaykin