The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2014:0091 advisory. The openstack-neutron packages provide Openstack Networking (neutron), the virtual network service. It was discovered that the metadata agent in OpenStack Networking was missing an authorization check on the device ID that is bound to a specific port. A remote tenant could guess the instance ID bound to a port and retrieve metadata of another tenant, resulting in information disclosure. Note that only OpenStack Networking setups running neutron-metadata-agent were affected. (CVE-2013-6419) Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Aaron Rosen of VMware as the original reporter. The openstack-neutron packages have been upgraded to upstream version 2013.2.1, which provides a number of bug fixes and enhancements over the previous version. The most notable fixes and enhancements are: – Support for multiple workers in the Neutron API. This can be achieved by setting the 'workers=' parameter in the neutron.conf file. – The downtime and report interval default settings are tuned for neutron agents. – The floating IP address stability has been enhanced. – A heartbeat-related deadlock problem in neutron-server has been fixed. (BZ#1045419) This update also fixes the following bugs: * An incorrect warning was…Read More
References
Back to Main