From a8c4ab769b94fd8d8d0e849a5541beee47f0532a Mon Sep 17 00:00:00 2001
From: Tristan Cacqueray <tdecacqu@redhat.com>
Date: Wed, 13 Mar 2019 11:17:15 +0000
Subject: [PATCH] Adds OSSA-2019-001 (CVE-2019-9735)

Change-Id: I11ec9820642d1eca14517bd39e01b5e8581cda82
Related-Bug: #1818385
---
 ossa/OSSA-2019-001.yaml | 44 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 ossa/OSSA-2019-001.yaml

diff --git a/ossa/OSSA-2019-001.yaml b/ossa/OSSA-2019-001.yaml
new file mode 100644
index 0000000..180ee0f
--- /dev/null
+++ b/ossa/OSSA-2019-001.yaml
@@ -0,0 +1,44 @@
+date: 2019-03-13
+
+id: OSSA-2019-001
+
+title: Unsupported dport option prevents applying security groups
+
+description: >
+  Erik Olof Gunnar Andersson with Blizzard Entertainment reported a
+  vulnerability in Neutron's iptables firewall module. By setting a
+  destination port in a security group rule along with a protocol
+  which doesn't support that option (for example, VRRP), an
+  authenticated user may block further application of security group
+  rules for instances from any project/tenant on the compute hosts
+  to which it's applied. Only deployments using the iptables
+  security group driver are affected.
+
+affected-products:
+  - product: neutron
+    version: '<10.0.8, >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3'
+
+vulnerabilities:
+  - cve-id: CVE-2019-9735
+
+reporters:
+  - name: Erik Olof Gunnar Andersson
+    affiliation: Blizzard Entertainment
+    reported:
+      - CVE-2019-9735
+
+issues:
+  links:
+    - https://launchpad.net/bugs/1818385
+
+reviews:
+  ocata:
+    - https://review.openstack.org/640791
+  pike:
+    - https://review.openstack.org/640790
+  queens:
+    - https://review.openstack.org/640702
+  rocky:
+    - https://review.openstack.org/640685
+  stein:
+    - https://review.openstack.org/640619