A number of openstack-nova security bugs were recently closed as WONTFIX:
https://bugzilla.redhat.com/show_bug.cgi?id=956808 /var/log/nova/ is world readable
https://bugzilla.redhat.com/show_bug.cgi?id=961736 CVE-2013-2030 insecure directory creation for signing
https://bugzilla.redhat.com/show_bug.cgi?id=963728 CVE-2013-2096 fails to verify image virtual size denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=994810 CVE-2013-2256 private flavors resource limit circumvention
https://bugzilla.redhat.com/show_bug.cgi?id=994817 CVE-2013-4185 network source security groups denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=995173 CVE-2013-4179 XML entities DoS
https://bugzilla.redhat.com/show_bug.cgi?id=999277 CVE-2013-4261 console-log DoS
https://bugzilla.redhat.com/show_bug.cgi?id=1040789 CVE-2013-7048 insecure directory permissions in snapshots
https://bugzilla.redhat.com/show_bug.cgi?id=1057311 CVE-2013-7130 Live migration can leak root disk into ephemeral storage
The reason for WONTFIX was stated as "Openstack is not maintained in EPEL, newer versions of openstack for EPEL are kept in RDO".
If there are no plans to continue maintaining openstack-nova in EPEL, the package should be removed from EPEL.
28.3.2014 10.36, Anssi Johansson kirjoitti:
A number of openstack-nova security bugs were recently closed as WONTFIX:
https://bugzilla.redhat.com/show_bug.cgi?id=956808 /var/log/nova/ is world readable
https://bugzilla.redhat.com/show_bug.cgi?id=961736 CVE-2013-2030 insecure directory creation for signing
https://bugzilla.redhat.com/show_bug.cgi?id=963728 CVE-2013-2096 fails to verify image virtual size denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=994810 CVE-2013-2256 private flavors resource limit circumvention
https://bugzilla.redhat.com/show_bug.cgi?id=994817 CVE-2013-4185 network source security groups denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=995173 CVE-2013-4179 XML entities DoS
https://bugzilla.redhat.com/show_bug.cgi?id=999277 CVE-2013-4261 console-log DoS
https://bugzilla.redhat.com/show_bug.cgi?id=1040789 CVE-2013-7048 insecure directory permissions in snapshots
https://bugzilla.redhat.com/show_bug.cgi?id=1057311 CVE-2013-7130 Live migration can leak root disk into ephemeral storage
The reason for WONTFIX was stated as "Openstack is not maintained in EPEL, newer versions of openstack for EPEL are kept in RDO".
If there are no plans to continue maintaining openstack-nova in EPEL, the package should be removed from EPEL.
I'm still of the opinion that if a package in EPEL is no longer maintained and it has known security issues, it should be removed from EPEL.
On Sat, Apr 12, 2014 at 10:33:50AM +0300, Anssi Johansson wrote:
I'm still of the opinion that if a package in EPEL is no longer maintained and it has known security issues, it should be removed from EPEL.
That will happen, in the next few weeks, as far as I know.
Matthias
16.4.2014 23.20, Matthias Runge kirjoitti:
On Sat, Apr 12, 2014 at 10:33:50AM +0300, Anssi Johansson wrote:
I'm still of the opinion that if a package in EPEL is no longer maintained and it has known security issues, it should be removed from EPEL.
That will happen, in the next few weeks, as far as I know.
Matthias
Are we there yet?
# yum search openstack-nova .. openstack-nova : OpenStack Compute (nova) openstack-nova-api : OpenStack Nova API services openstack-nova-cert : OpenStack Nova certificate management service openstack-nova-common : Components common to all OpenStack Nova services openstack-nova-compute : OpenStack Nova Virtual Machine control service openstack-nova-console : OpenStack Nova console access services openstack-nova-doc : Documentation for OpenStack Compute openstack-nova-network : OpenStack Nova Network control service openstack-nova-novncproxy : Proxy server for noVNC traffic over Websockets openstack-nova-objectstore : OpenStack Nova simple object store service openstack-nova-scheduler : OpenStack Nova VM distribution service openstack-nova-volume : OpenStack Nova storage volume control service
2014-07-04 18:35 GMT+02:00 Anssi Johansson epel@miuku.net:
16.4.2014 23.20, Matthias Runge kirjoitti:
On Sat, Apr 12, 2014 at 10:33:50AM +0300, Anssi Johansson wrote:
I'm still of the opinion that if a package in EPEL is no longer maintained and it has known security issues, it should be removed from EPEL.
That will happen, in the next few weeks, as far as I know.
Matthias
Are we there yet?
Finally, we are there: https://fedorahosted.org/rel-eng/ticket/5966#comment:1
Cheers, Alan
epel-devel@lists.fedoraproject.org