Synopsis

Low: openstack-neutron security and bug fix update

Type/Severity

Security Advisory: Low

Topic

Updated openstack-neutron packages that fix one security issue and several
bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0
for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

OpenStack Networking (neutron) is a pluggable, scalable, and API-driven
system that provisions networking services to virtual machines. Its main
function is to manage connectivity to and from virtual machines. As of Red
Hat Enterprise Linux OpenStack Platform 4.0, 'neutron' replaces 'quantum'
as the core component of OpenStack Networking.

It was discovered that the openstack-neutron package in Red Hat Enterprise
Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6 was released
with a sudoers file containing a configuration error. This error caused
OpenStack Networking to be vulnerable to the CVE-2013-6433 issue.
(CVE-2014-3632)

This update also fixes the following bugs:

• Prior to this update, the Open vSwitch agent failed to process ports on
  the integration bridge that quickly disappeared and reappeared during the
  processing loop. When such a failure occurred, the processing of the port
  was aborted (which is the correct behavior), but it was also marked as
  processed, meaning that the next updates for the port were not applied when
  it reappeared later. As a consequence, some ports were not VLAN-tagged
  correctly, and that resulted in no network connectivity for those instances
  that were bound to those ports. With this update, ports that are not on the
  integration bridge are still not processed but also not marked as such.
  Ports that disappear and then reappear later on the integration bridge are
  processed correctly, and VLAN tag updates are properly applied.
  (BZ#1123053)
  
• This update fixes an issue that caused connectivity to be dropped when
  restarting the openvswitch service with l2pop enabled. (BZ#1120719)
  
• Due to an incorrect version of the python-httplib2 package specified in
  the spec file, when a large amount of virtual machines (VMs) was launched,
  some of the VMs could be assigned two private IP addresses. (BZ#1126451)
  

All openstack-neutron users are advised to upgrade to these updated
packages, which correct these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenStack 5.0 for RHEL 6 x86_64

Fixes

• BZ - 1126451 - VMs get 2 private IPs during launching of a large amount of VMs
• BZ - 1128194 - LBaaS extension doesn't register it's resources to quota engine
• BZ - 1140949 - CVE-2014-3632 openstack-neutron: regression of fix for CVE-2013-6433

CVEs

• CVE-2014-3632

References

• http://www.redhat.com/security/updates/classification/#low

Red Hat OpenStack 5.0 for RHEL 6

SRPM
openstack-neutron-2014.1.2-4.el6ost.src.rpm	SHA-256: c3e3c9e7e8dc96eff69ced95572e8f29a73b51d441ce317ec94363aa8adde8f9
x86_64
openstack-neutron-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 1cef3083d52673b2097122e9fe450b66dadf4d9838efe9762e2448d115767b35
openstack-neutron-bigswitch-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 3986d69e1f75cbe58ab84e2f1a200a6c1cdafc9baaec3befa66e3b370b397763
openstack-neutron-brocade-2014.1.2-4.el6ost.noarch.rpm	SHA-256: b2961b09590ccb08a817279db2961cbb948bf9279d5df45f2e10286b6dee56c5
openstack-neutron-cisco-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 8a06523a5e9ec89963dde246041a6d6b6da306370328e9a833f1374c9a12285d
openstack-neutron-hyperv-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 6b4329d8268fd0d702c1badf9e523d3a5e31a5397d5a826b119bc9251366c043
openstack-neutron-ibm-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 1c5078c66b55e452383bf81f0f59b861353a160a7eb550174c61486c6fdd5d1e
openstack-neutron-linuxbridge-2014.1.2-4.el6ost.noarch.rpm	SHA-256: f87d36fb237b96ea97da7a05248791927f61c0be13437e12908365f00f4c9b89
openstack-neutron-mellanox-2014.1.2-4.el6ost.noarch.rpm	SHA-256: fa49f7aeb10219a602742f4b5ea372ac7c98c1ae4606c5af4a612c44ad50c3e0
openstack-neutron-metaplugin-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 894d65e91d346f4a7df401e827686b3da0f671147e169723ac631b28ac5f1217
openstack-neutron-metering-agent-2014.1.2-4.el6ost.noarch.rpm	SHA-256: e981123674dc1df7889720023bf0b9ff3c0f07aec1e2019a6dbb78d2f903c78b
openstack-neutron-midonet-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 7d1f2fabdb6168502c658e1283183cd92893fb5908ced34f5d5ceb7524e66005
openstack-neutron-ml2-2014.1.2-4.el6ost.noarch.rpm	SHA-256: c89a0893dac2f08ce2795aa0defa8d4dc7a98e73004f835d3b5157e35a573470
openstack-neutron-nec-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 6a308d3df4fd2fdea12dc1ef8c04a24663e29aa88f4f510b3c9f8a69fe6e8b2d
openstack-neutron-ofagent-2014.1.2-4.el6ost.noarch.rpm	SHA-256: c08ace2722bcd3a28e72c284cca408c932d4ddd583570254e137507d946f2cfa
openstack-neutron-oneconvergence-nvsd-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 7a2c7c3589ce9253b28fa20a3dbfa27c72cf53d72b3704d88809a3427e1d46a6
openstack-neutron-openvswitch-2014.1.2-4.el6ost.noarch.rpm	SHA-256: b3eb34acddde920b9cd98b4e1b975377a2eae6c4ec99505421ef124170686044
openstack-neutron-plumgrid-2014.1.2-4.el6ost.noarch.rpm	SHA-256: c51942d6fee8556672079a044055b0d4cf4bc0539bc5c504da304af707fc65e6
openstack-neutron-ryu-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 4cc29be33907d09e8c69ae141b0fa67c92cec214a30d8f2557f51ba1e6f9ddd4
openstack-neutron-vmware-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 251b65fa17ee7434db76f77455b6d9a2ed5b3e74cfa3b66ede620ed3bea856ac
openstack-neutron-vpn-agent-2014.1.2-4.el6ost.noarch.rpm	SHA-256: e2e07eb5f796f68fcae47c39ab377ce35703affa15355c412c5979f76a439767
python-neutron-2014.1.2-4.el6ost.noarch.rpm	SHA-256: 2cc388d6f1582358887fe9a0571274482f62f2f573b68e8294f1a487aeda4951