Security update for openstack-neutron
SUSE Security Update: Security update for openstack-neutron
This update for openstack-neutron provides security and stability fixes:
* Updated from global requirements
* Stop ignoring 400 errors returned by ODL
* Delete disassociated floating ips on external network deletion
* Cisco: update_port should only invoke n1kv and not nexus plugin
* Add unit tests covering single operations to ODL
* Qpid: explicitly name subscription queue
* Convert all incoming protocol numbers to string
* Fix hostname regex pattern (bnc#905104, CVE-2014-7821)
* Fix event_send for re-assign floating ip
* Enabled Cisco ML2 driver to use new upstream ncclient
* Allow delete_port to work when there are multiple floating ips
* Set vif_details to reflect enable_security_group
* Revert "Deletes floating ip related connection states"
* Big Switch: Fix SSL version on get_server_cert
* NSX: allow multiple networks with same vlan on different phy_net
* Fix a recent ipv6 UT regression
* Big Switch: Switch to TLSv1 in server manager
* Remove unused py33 tox env
* Increase the default poll duration for Cisco n1kv
* Check for IPv6 file before reading
* Big Switch: Don't clear hash before sync
* Skip lbaas table creation if tables already exist
* Create 'quota' table in folsom_initial
* Forbid regular users to reset admin-only attrs to default values
(bnc#896780, CVE-2014-6414)
* Follow the RFC-3442-spec for DHCP (bnc#899132)
* Allow unsharing a network used as gateway floatingip (bnc#890711)
* Delete DHCP port without DHCP server on a net node
* Add quotas to Cisco N1kv plugins supported extension aliases
* Fix error adding security groups to instances with nexus
* Provide way to reserve dhcp port during failovers
* Enforce required config params for ODL driver
* Update vsm credential correctly
* Networks are not scheduled to DHCP agents for Cisco N1KV plugin
* Add BSN plugin to agent migration script
* Deletes floating ip related connection states
* Add delete operations for the ODL MechanismDriver
* Add missing ml2 plugin to migration
* Big Switch: Check for 'id' in port before lookup
* NSX: Optionally not enforce nat rule match length check
* Don't spawn metadata-proxy for non-isolated nets
* Send network name and uuid to subnet create
* Don't allow user to set firewall rule with port and no protocol
* Allow unsharing a network used as gateway/floatingip
* Big Switch: Retry on 503 errors from backend
* BSN: Allow concurrent reads to consistency DB
* Fix metadata agent's auth info caching
* Fixes Hyper-V agent issue on Hyper-V 2008 R2
* Fixes Hyper-V issue due to ML2 RPC versioning
* Verify ML2 type driver exists before calling del
* NSX: Correct allowed_address_pair return value on create_port
* Neutron should not use the neutronclient utils module for
import_class
* Pass object to policy when finding fields to strip
* Perform policy checks only once on list responses
* Cisco N1kv plugin to send subtype on network profile creation
* Add support for router scheduling in Cisco N1kv Plugin
* Remove explicit dependency on amqplib
* Fix func job hook script permission problems
* Big Switch: Only update hash header on success
* Clear entries in Cisco N1KV specific tables on rollback
* Fix no-ipv6 regression (lp#1361542)
* Add hook scripts for the functional infra job
* Ensure ip6tables are used only if ipv6 is enabled in kernel
* Ignore variable column widths in ovsdb functional tests
* VMWare: don't notify on disassociate_floatingips()
* Avoid notifying while inside transaction opened in delete_port()
* Cisco N1kv: Remove vmnetwork delete REST call on last port delete
* Raise exception for network delete with subnets presents
* Security Group rule validation for ICMP rules.
Security Issues:
* CVE-2014-7821
* CVE-2014-6414
| Announcement ID: | SUSE-SU-2015:0018-1 |
| Rating: | low |
| References: | #890711 #896780 #897815 #899132 #905104 |
| Affected Products: |
An update that solves two vulnerabilities and has three fixes is now available. It includes one version update.
Description:
This update for openstack-neutron provides security and stability fixes:
* Updated from global requirements
* Stop ignoring 400 errors returned by ODL
* Delete disassociated floating ips on external network deletion
* Cisco: update_port should only invoke n1kv and not nexus plugin
* Add unit tests covering single operations to ODL
* Qpid: explicitly name subscription queue
* Convert all incoming protocol numbers to string
* Fix hostname regex pattern (bnc#905104, CVE-2014-7821)
* Fix event_send for re-assign floating ip
* Enabled Cisco ML2 driver to use new upstream ncclient
* Allow delete_port to work when there are multiple floating ips
* Set vif_details to reflect enable_security_group
* Revert "Deletes floating ip related connection states"
* Big Switch: Fix SSL version on get_server_cert
* NSX: allow multiple networks with same vlan on different phy_net
* Fix a recent ipv6 UT regression
* Big Switch: Switch to TLSv1 in server manager
* Remove unused py33 tox env
* Increase the default poll duration for Cisco n1kv
* Check for IPv6 file before reading
* Big Switch: Don't clear hash before sync
* Skip lbaas table creation if tables already exist
* Create 'quota' table in folsom_initial
* Forbid regular users to reset admin-only attrs to default values
(bnc#896780, CVE-2014-6414)
* Follow the RFC-3442-spec for DHCP (bnc#899132)
* Allow unsharing a network used as gateway floatingip (bnc#890711)
* Delete DHCP port without DHCP server on a net node
* Add quotas to Cisco N1kv plugins supported extension aliases
* Fix error adding security groups to instances with nexus
* Provide way to reserve dhcp port during failovers
* Enforce required config params for ODL driver
* Update vsm credential correctly
* Networks are not scheduled to DHCP agents for Cisco N1KV plugin
* Add BSN plugin to agent migration script
* Deletes floating ip related connection states
* Add delete operations for the ODL MechanismDriver
* Add missing ml2 plugin to migration
* Big Switch: Check for 'id' in port before lookup
* NSX: Optionally not enforce nat rule match length check
* Don't spawn metadata-proxy for non-isolated nets
* Send network name and uuid to subnet create
* Don't allow user to set firewall rule with port and no protocol
* Allow unsharing a network used as gateway/floatingip
* Big Switch: Retry on 503 errors from backend
* BSN: Allow concurrent reads to consistency DB
* Fix metadata agent's auth info caching
* Fixes Hyper-V agent issue on Hyper-V 2008 R2
* Fixes Hyper-V issue due to ML2 RPC versioning
* Verify ML2 type driver exists before calling del
* NSX: Correct allowed_address_pair return value on create_port
* Neutron should not use the neutronclient utils module for
import_class
* Pass object to policy when finding fields to strip
* Perform policy checks only once on list responses
* Cisco N1kv plugin to send subtype on network profile creation
* Add support for router scheduling in Cisco N1kv Plugin
* Remove explicit dependency on amqplib
* Fix func job hook script permission problems
* Big Switch: Only update hash header on success
* Clear entries in Cisco N1KV specific tables on rollback
* Fix no-ipv6 regression (lp#1361542)
* Add hook scripts for the functional infra job
* Ensure ip6tables are used only if ipv6 is enabled in kernel
* Ignore variable column widths in ovsdb functional tests
* VMWare: don't notify on disassociate_floatingips()
* Avoid notifying while inside transaction opened in delete_port()
* Cisco N1kv: Remove vmnetwork delete REST call on last port delete
* Raise exception for network delete with subnets presents
* Security Group rule validation for ICMP rules.
Security Issues:
* CVE-2014-7821
* CVE-2014-6414
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Cloud 4:
zypper in -t patch sleclo40sp3-openstack-neutron-1214-10031
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Cloud 4 (x86_64) [New Version: 2014.1.4.dev66.gb8c0c7b]:
- openstack-neutron-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-dhcp-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-ha-tool-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-l3-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-lbaas-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-linuxbridge-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-metadata-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-metering-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-mlnx-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-nec-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-openvswitch-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-plugin-cisco-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-ryu-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-server-2014.1.4.dev66.gb8c0c7b-0.7.1
- openstack-neutron-vpn-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
- python-neutron-2014.1.4.dev66.gb8c0c7b-0.7.1
- SUSE Cloud 4 (noarch) [New Version: 2014.1.4.dev66.gb8c0c7b]:
- openstack-neutron-doc-2014.1.4.dev66.gb8c0c7b-0.7.1
References:
- http://support.novell.com/security/cve/CVE-2014-6414.html
- http://support.novell.com/security/cve/CVE-2014-7821.html
- https://bugzilla.suse.com/show_bug.cgi?id=890711
- https://bugzilla.suse.com/show_bug.cgi?id=896780
- https://bugzilla.suse.com/show_bug.cgi?id=897815
- https://bugzilla.suse.com/show_bug.cgi?id=899132
- https://bugzilla.suse.com/show_bug.cgi?id=905104
- http://download.suse.com/patch/finder/?keywords=6fef8cad1f09e4cf337bdbe3462f5cf2