Red Hat Product Errata RHSA-2015:0789 - Security Advisory
Issued:
2015-04-07
Updated:
2015-04-07

RHSA-2015:0789 - Security Advisory

Synopsis

Important: openstack-packstack and openstack-puppet-modules security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated openstack-packstack and openstack-puppet-modules packages that fix
one security issue and several bugs are now available for Red Hat
Enterprise Linux OpenStack Platform 6.0.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

PackStack is a command-line utility for deploying OpenStack on existing
servers over an SSH connection. Deployment options are provided either
interactively, using the command line, or non-interactively by means of a
text file containing a set of preconfigured values for OpenStack
parameters. PackStack is suitable for proof-of-concept installations.
PackStack is suitable for deploying proof-of-concept installations.

It was discovered that the puppet manifests, as provided with the
openstack-puppet-modules package, would configure the pcsd daemon with a
known default password. If this password was not changed and an attacker
was able to gain access to pcsd, they could potentially run shell commands
as root. (CVE-2015-1842)

This issue was discovered by Alessandro Vozza of Red Hat.

This update also fixes the following bugs:

  • If OpenStack Networking is enabled, Packstack would display a warning if

the Network Manager service is active on hosts. (BZ#1117277)

  • A quiet dependency on a newer version of selinux-policy causes

openstack-selinux 0.6.23 to fail to install modules when paired with
selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z.
This causes Identity and other OpenStack services to receive 'AVC' denials
and malfunction under some circumstances. The following workarounds allow
the OpenStack services to function correctly:

1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update
to Red Hat Enterprise Linux 7.1. At that time, a 'yum update' will resolve
the issue.

2) Install the updated selinux-policy and selinux-policy-targeted packages
from Red Hat Enterprise Linux 7.1 (version selinux-policy-3.13.1-23.el7 or
later), then update openstack-selinux to version 0.6.23-1.el7ost.
(BZ#1195252)

  • A typo in the code caused a Sahara option that uses OpenStack Networking

to be always false. Sahara now uses OpenStack Networking if the parameter
'CONFIG_NEUTRON_INSTALL is set to 'y'. (BZ#1199047)

  • Prior to this update, users had to install the OpenStack Unified Client

separately after an installation of Packstack. Packstack now installs it by
default. (BZ#1199114)

  • This enhancement updates Packstack to retain temporary directories when

running an installation in debug mode. This assists with troubleshooting
activities. As a result, temporary directories are not deleted when running
Packstack with the --debug command line option. (BZ#1199565)

  • Prior to this update, some validators did not use 'validate_not_empty' to

ensure that certain parameters contained values. As a result, a number of
internal validations could not be properly handled, leading to the
possibility of unexpected errors. This update fixes validators to use
validate_not_empty when required, resulting in correct validation behavior
from validators. (BZ#11995889)

In addition to the above issues, this update also addresses bugs and
enhancements which can be found in the Red Hat Enterprise Linux OpenStack
Platform Technical Notes, linked to in the References section.

All openstack-packstack and openstack-puppet-modules users are advised to
upgrade to these updated packages, which correct these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenStack 6.0 x86_64

Fixes

  • BZ - 1117277 - Test Packstack/RHEL OSP on RHEL 7 nodes where Network Manager is NOT disabled
  • BZ - 1123117 - Deploy Keystone in Apache httpd
  • BZ - 1171744 - Configure TCP keepalive setting via puppet-rabbitmq
  • BZ - 1172305 - [RFE] Support Keystone read-only LDAP configuration with domain-specific identity backends
  • BZ - 1173930 - Horizon help url in RHEL-OSP6 points to the RHEL-OSP5 documentation
  • BZ - 1187343 - Packstack does not install Ironic with CONFIG_IRONIC_INSTALL flag set to "y"
  • BZ - 1187706 - problems with puppet-keystone LDAP support
  • BZ - 1193889 - puppet restart neutron server every 30 minutes on evironments deployed by staypuft
  • BZ - 1195252 - [keystone] - selinux denial
  • BZ - 1195258 - Packstack doesn't set firewall so vxlan traffic can be received in multinode setup
  • BZ - 1199047 - The value of use_neutron is set to false (instead of true) when neutron is used.
  • BZ - 1199072 - packstack does not set ironic password
  • BZ - 1199076 - glance_image provider doesn't respect custom region name
  • BZ - 1199085 - RHOS backport RDO fix for packstack error: Error: sysctl -p /etc/sysctl.conf returned 255 instead of one of
  • BZ - 1199114 - add openstack unified client
  • BZ - 1199423 - Use flake8 and hacking instead of pep8 for Python syntax checks
  • BZ - 1199427 - Cherrypick documentation fixes from RDO
  • BZ - 1199519 - Packstack install AMQP with SSL, fails to start rabbitmq service
  • BZ - 1199547 - Install rhos-log-collector only on RHEL systems
  • BZ - 1199549 - Backport packstack RDO fixes for rebased modules
  • BZ - 1199562 - RFE: Allow command-line options with --gen-answer-file
  • BZ - 1199565 - Do not delete temporary directories after a failed installation in debug mode
  • BZ - 1199589 - Cherry pick internal Packstack enhancements from RDO
  • BZ - 1199677 - Update OSP OPM to the latest RDO package
  • BZ - 1201875 - CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default password
  • BZ - 1202107 - packstack --help throws a traceback at the end of the output
  • BZ - 1204482 - nova-novncproxy fails with ValidationError: Origin header protocol does not match this host

Red Hat OpenStack 6.0

SRPM
x86_64
openstack-packstack-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm SHA-256: a50d0ae42f94a2b7777edfce1652843e81b952e274296b4f2869dc0845a57291
openstack-packstack-doc-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm SHA-256: 98e59ca7cbfaddddfd0daf755d2131c0476f4942777c83d6439153eb03027fd9
openstack-packstack-puppet-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm SHA-256: de276e345828dba14b696cd41a86c8421fd57c201b8ccf3e7d9f1cecb7aad622
openstack-puppet-modules-2014.2.13-2.el7ost.noarch.rpm SHA-256: f829cee6ce53193b27108ae45472e10b65e714f5ad39c6c6c9c54e5f1f5e0030

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.