-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-nova security, bug fix, and enhancement update Advisory ID: RHSA-2018:2332-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:2332 Issue date: 2018-08-20 CVE Names: CVE-2017-18191 ===================================================================== 1. Summary: An update for openstack-nova is now available for Red Hat OpenStack Platform 12.0 (Pike). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 12.0 - noarch 3. Description: OpenStack Compute (nova) launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances and controlling access through users and projects. The following packages have been upgraded to a later upstream version: openstack-nova (16.1.4). (BZ#1591212) Security Fix(es): * openstack-nova: Swapping encrypted volumes can allow an attacker to corrupt the LUKS header causing a denial of service in the host (CVE-2017-18191) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. For more information about the bug fixes and enhancements included with this update, see the "Technical Notes" section of the Release Notes linked in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1516271 - [RHOS-12.0.z] Add RPM deps to require install of qemu-kvm-rhev, not qemu-kvm-rhel 1537047 - Bug in log output in hardware.py "Not enough available memory to schedule instance" prints full memory instead of available memory 1539703 - By rebuilding twice with the same "forbidden" image one can circumvent scheduler rebuild restrictions 1546937 - CVE-2017-18191 openstack-nova: Swapping encrypted volumes can allow an attacker to corrupt the LUKS header causing a denial of service in the host 1547578 - Nova assumes that a volume is fully detached from the compute if the volume is not defined in the instance's libvirt definition 1556851 - Instance hard reboots fail due to a TimeoutException being thrown waiting for vif-plugged events from Neutron 1557938 - [BACKPORT Request] Nova returns a traceback when it's unable to detach a volume still in use 1558706 - [OSP 12] nova get-password returns blank line 1569955 - preallocate_images = space is not honoured when using qcow2 1570314 - When creating a stack with not enough resource, volumes remain in attaching 1572836 - nova-compute should log messages about stale resource allocations at warning priority 1573799 - Fix setting tx_queue_size when rx_queue_size is not set 1575985 - Duplicate imports of oslo_config types 1579785 - On split-stack setups, left over node information prevents a node from rejoin the cloud 1590514 - Rebase openstack-nova to aa7714c 1591212 - Rebase openstack-nova to 16.1.4 1591296 - [RHOS-12][rebase] Lift the restriction on choices for `cpu_model_extra_flags` config attribute 6. Package List: Red Hat OpenStack Platform 12.0: Source: openstack-nova-16.1.4-6.el7ost.src.rpm noarch: openstack-nova-16.1.4-6.el7ost.noarch.rpm openstack-nova-api-16.1.4-6.el7ost.noarch.rpm openstack-nova-cells-16.1.4-6.el7ost.noarch.rpm openstack-nova-common-16.1.4-6.el7ost.noarch.rpm openstack-nova-compute-16.1.4-6.el7ost.noarch.rpm openstack-nova-conductor-16.1.4-6.el7ost.noarch.rpm openstack-nova-console-16.1.4-6.el7ost.noarch.rpm openstack-nova-migration-16.1.4-6.el7ost.noarch.rpm openstack-nova-network-16.1.4-6.el7ost.noarch.rpm openstack-nova-novncproxy-16.1.4-6.el7ost.noarch.rpm openstack-nova-placement-api-16.1.4-6.el7ost.noarch.rpm openstack-nova-scheduler-16.1.4-6.el7ost.noarch.rpm openstack-nova-serialproxy-16.1.4-6.el7ost.noarch.rpm openstack-nova-spicehtml5proxy-16.1.4-6.el7ost.noarch.rpm python-nova-16.1.4-6.el7ost.noarch.rpm python-nova-tests-16.1.4-6.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-18191 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/release_notes/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW3q6ntzjgjWX9erEAQijWg//cXtsrbGKFi/TZ7QQGLaYdD7keVNnNtfo RoZvFtMZxJFYXPWvd0thq5ma2+LwjkC5SeEfxPzSI6soCgFnwVmnO1W6SacOToFz EsEg5GTPi85qIpvoEH8BNg7L5wLIh3FPnkVlCaRlG6p6yzGoOu4v72CYq1Zuws9e 5qlh7O/aKUCyJOkk7sgAp3nnUzXzzc0yRIeTxW4C1xuS2OjuMCCJKH1mlLcnA4Tm Dh5LSKuYkZpC5SO+V1wPrR4ubuPXNr7hjldRcpQzjowP95nHYBfYzu41OrphAaAZ Q2BmzVdqT/8TGpU8aRCZmxY4SE/14jDaXhYKhbrLys3+WDsXMXmxBUvwRXFF35wt tVsQr+rmSI9IBLnvxKA2LraCnvWNg/NZKKZPqBvSrxVkrvaymbpZrvo7KqAaREpk A2Xr/bfCvD+Dhl8C01z3PsXhDafj6zIBwffjzJbDVlzxoq39mjxy0JZrkKHpJdZ4 bSL/cZ3+ldSwDkgYye5tMMUocY8l6mliGJA7/uVCjeOeMjSD++FlPH+zXAS21LOV S5DyN+PPIYke8XZPpiu6ZMEHFVSZRc/XN27UJfaKnIB77PFewgUo/rNFTiGkE33A 7FwKtCcz3VIJXkspea93wtAzGawmrNU9Cx4slfm7boOVrtjSIOjC6WtBH+F6a9z3 l3UQ8NJTGss= =LF1S -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce