Issued:: 2015-10-22
Updated:: 2015-10-22

RHSA-2015:1929 - Security Advisory

Overview
Updated Packages

Synopsis

Important: openstack-ironic-discoverd security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated openstack-ironic-discoverd packages that fix one security issue are
now available for Red Hat Enterprise Linux OpenStack Platform 7.0.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

Ironic provides bare metal provisioning for OpenStack nodes.

It was discovered that enabling debug mode in openstack-ironic-discoverd
also enables debug mode in the underlying Flask framework. If errors are
encountered while Flask is in debug mode, a user experiencing an error may
be able to access the debug console (effectively, a command shell).
(CVE-2015-5306)

All openstack-ironic-discoverd users are advised to upgrade to these
updated packages, which correct this issue.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 7 x86_64

Fixes

BZ - 1256421 - Incorrect RAM report
BZ - 1273698 - CVE-2015-5306 openstack-ironic-discoverd: potential remote code execution with debug mode enabled

CVEs

CVE-2015-5306

References

http://www.redhat.com/security/updates/classification/#normal

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 7

SRPM
openstack-ironic-discoverd-1.1.0-8.el7ost.src.rpm	SHA-256: 8af98bae051f3453dd58964fd8c21015dee8edeb346ccd37f985ec40f42350dc
x86_64
openstack-ironic-discoverd-1.1.0-8.el7ost.noarch.rpm	SHA-256: b6fffacbedbd8f25f3c02d7427c4c2117cc82b9f0f9c7d2b794d6a0f57006af3
openstack-ironic-discoverd-ramdisk-1.1.0-8.el7ost.noarch.rpm	SHA-256: f562738c65b9662f24954ba19eb89d38296f9b3d87bd19cf313a0440b05df8ad
python-ironic-discoverd-1.1.0-8.el7ost.noarch.rpm	SHA-256: 80431c87c77ebd76893ee2a895259b4c7466cbc4bdcb19bb6da1897908fef30c

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Ansible.com

Red Hat Ecosystem Catalog

Red Hat Hybrid Cloud Console

Red Hat Store

Red Hat Marketplace

Red Hat Summit and AnsibleFest