From 482576204dec96f580817b119e3166d71c757731 Mon Sep 17 00:00:00 2001 From: Tristan Cacqueray Date: Mon, 24 Aug 2015 16:42:19 -0400 Subject: [PATCH] Adds OSSA-2015-015 Change-Id: I3d933886a2ddf171741ad0dac8d9ff13faffbcd4 --- ossa/OSSA-2015-015.yaml | 56 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 ossa/OSSA-2015-015.yaml diff --git a/ossa/OSSA-2015-015.yaml b/ossa/OSSA-2015-015.yaml new file mode 100644 index 0000000..692fb3f --- /dev/null +++ b/ossa/OSSA-2015-015.yaml @@ -0,0 +1,56 @@ +date: 2015-08-25 + +id: OSSA-2015-015 + +title: 'Nova instance migration process does not stop when instance is deleted' + +description: 'George Shuklin from Webzilla LTD reported a vulnerability in Nova + migration process. By resizing and deleting an instance repeatedly an + authenticated user may overcome his quota and overload Nova computes + node resulting in a denial of service attack. All Nova setups are + affected.' + +affected-products: + + - product: nova + version: versions through 2014.2.3 and 2015.1 versions through 2015.1.1 + +vulnerabilities: + + - cve-id: CVE-2015-3241 + +reporters: + + - name: 'George Shuklin' + affiliation: Webzilla LTD + reported: + - CVE-2015-3241 + +issues: + + links: + - https://launchpad.net/bugs/1387543 + + type: launchpad + +reviews: + + liberty: + - https://review.openstack.org/194861 + - https://review.openstack.org/192986 + + kilo: + - https://review.openstack.org/213234 + - https://review.openstack.org/209856 + + juno: + - https://review.openstack.org/208876 + - https://review.openstack.org/214528 + + type: gerrit + +notes: + - 'This fix requires oslo.concurrency >= 1.8.2 for Kilo and >= 2.3.0 for + Liberty. Juno fix embeds a patched version of oslo.concurrency' + - 'This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) + releases.'