Red Hat Product Errata RHSA-2015:0789 - Security Advisory

Issued:: 2015-04-07
Updated:: 2015-04-07

RHSA-2015:0789 - Security Advisory

Overview
Updated Packages

Synopsis

Important: openstack-packstack and openstack-puppet-modules security and bug fix update

Type/Severity

Security Advisory: Important

Topic

Updated openstack-packstack and openstack-puppet-modules packages that fix
one security issue and several bugs are now available for Red Hat
Enterprise Linux OpenStack Platform 6.0.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

PackStack is a command-line utility for deploying OpenStack on existing
servers over an SSH connection. Deployment options are provided either
interactively, using the command line, or non-interactively by means of a
text file containing a set of preconfigured values for OpenStack
parameters. PackStack is suitable for proof-of-concept installations.
PackStack is suitable for deploying proof-of-concept installations.

It was discovered that the puppet manifests, as provided with the
openstack-puppet-modules package, would configure the pcsd daemon with a
known default password. If this password was not changed and an attacker
was able to gain access to pcsd, they could potentially run shell commands
as root. (CVE-2015-1842)

This issue was discovered by Alessandro Vozza of Red Hat.

This update also fixes the following bugs:

If OpenStack Networking is enabled, Packstack would display a warning if
the Network Manager service is active on hosts. (BZ#1117277)
A quiet dependency on a newer version of selinux-policy causes
openstack-selinux 0.6.23 to fail to install modules when paired with
selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z.
This causes Identity and other OpenStack services to receive 'AVC' denials
and malfunction under some circumstances. The following workarounds allow
the OpenStack services to function correctly:

1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update
to Red Hat Enterprise Linux 7.1. At that time, a 'yum update' will resolve
the issue.

2) Install the updated selinux-policy and selinux-policy-targeted packages
from Red Hat Enterprise Linux 7.1 (version selinux-policy-3.13.1-23.el7 or
later), then update openstack-selinux to version 0.6.23-1.el7ost.
(BZ#1195252)

A typo in the code caused a Sahara option that uses OpenStack Networking
to be always false. Sahara now uses OpenStack Networking if the parameter
'CONFIG_NEUTRON_INSTALL is set to 'y'. (BZ#1199047)
Prior to this update, users had to install the OpenStack Unified Client
separately after an installation of Packstack. Packstack now installs it by
default. (BZ#1199114)
This enhancement updates Packstack to retain temporary directories when
running an installation in debug mode. This assists with troubleshooting
activities. As a result, temporary directories are not deleted when running
Packstack with the --debug command line option. (BZ#1199565)
Prior to this update, some validators did not use 'validate_not_empty' to
ensure that certain parameters contained values. As a result, a number of
internal validations could not be properly handled, leading to the
possibility of unexpected errors. This update fixes validators to use
validate_not_empty when required, resulting in correct validation behavior
from validators. (BZ#11995889)

In addition to the above issues, this update also addresses bugs and
enhancements which can be found in the Red Hat Enterprise Linux OpenStack
Platform Technical Notes, linked to in the References section.

All openstack-packstack and openstack-puppet-modules users are advised to
upgrade to these updated packages, which correct these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 6.0 x86_64

Fixes

BZ - 1117277 - Test Packstack/RHEL OSP on RHEL 7 nodes where Network Manager is NOT disabled
BZ - 1123117 - Deploy Keystone in Apache httpd
BZ - 1171744 - Configure TCP keepalive setting via puppet-rabbitmq
BZ - 1172305 - [RFE] Support Keystone read-only LDAP configuration with domain-specific identity backends
BZ - 1173930 - Horizon help url in RHEL-OSP6 points to the RHEL-OSP5 documentation
BZ - 1187343 - Packstack does not install Ironic with CONFIG_IRONIC_INSTALL flag set to "y"
BZ - 1187706 - problems with puppet-keystone LDAP support
BZ - 1193889 - puppet restart neutron server every 30 minutes on evironments deployed by staypuft
BZ - 1195252 - [keystone] - selinux denial
BZ - 1195258 - Packstack doesn't set firewall so vxlan traffic can be received in multinode setup
BZ - 1199047 - The value of use_neutron is set to false (instead of true) when neutron is used.
BZ - 1199072 - packstack does not set ironic password
BZ - 1199076 - glance_image provider doesn't respect custom region name
BZ - 1199085 - RHOS backport RDO fix for packstack error: Error: sysctl -p /etc/sysctl.conf returned 255 instead of one of
BZ - 1199114 - add openstack unified client
BZ - 1199423 - Use flake8 and hacking instead of pep8 for Python syntax checks
BZ - 1199427 - Cherrypick documentation fixes from RDO
BZ - 1199519 - Packstack install AMQP with SSL, fails to start rabbitmq service
BZ - 1199547 - Install rhos-log-collector only on RHEL systems
BZ - 1199549 - Backport packstack RDO fixes for rebased modules
BZ - 1199562 - RFE: Allow command-line options with --gen-answer-file
BZ - 1199565 - Do not delete temporary directories after a failed installation in debug mode
BZ - 1199589 - Cherry pick internal Packstack enhancements from RDO
BZ - 1199677 - Update OSP OPM to the latest RDO package
BZ - 1201875 - CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default password
BZ - 1202107 - packstack --help throws a traceback at the end of the output
BZ - 1204482 - nova-novncproxy fails with ValidationError: Origin header protocol does not match this host

CVEs

CVE-2015-1842

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 6.0

SRPM
x86_64
openstack-packstack-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm	SHA-256: a50d0ae42f94a2b7777edfce1652843e81b952e274296b4f2869dc0845a57291
openstack-packstack-doc-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm	SHA-256: 98e59ca7cbfaddddfd0daf755d2131c0476f4942777c83d6439153eb03027fd9
openstack-packstack-puppet-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm	SHA-256: de276e345828dba14b696cd41a86c8421fd57c201b8ccf3e7d9f1cecb7aad622
openstack-puppet-modules-2014.2.13-2.el7ost.noarch.rpm	SHA-256: f829cee6ce53193b27108ae45472e10b65e714f5ad39c6c6c9c54e5f1f5e0030

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories