yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #05747
[Bug 1091939] Re: nova-network applies too liberal a SNAT rule
nova (2012.1.3+stable-20130423-e52e6912-0ubuntu1) precise-proposed;
urgency=low
* Resynchronize with stable/essex (e52e6912) (LP: #1089488):
- [48e81f1] VNC proxy can be made to connect to wrong VM LP: 1125378
- [3bf5a58] snat rule too broad for some network configurations LP: 1048765
- [efaacda] DOS by allocating all fixed ips LP: 1125468
- [b683ced] Add nosehtmloutput as a test dependency.
- [45274c8] Nova unit tests not running, but still passing for stable/essex
LP: 1132835
- [e02b459] vnc unit-test fixes
- [87361d3] Jenkins jobs fail because of incompatibility between sqlalchemy-
migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
- [e98928c] VNC proxy can be made to connect to wrong VM LP: 1125378
- [c0a10db] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
- [243d516] No authentication on block device used for os-volume_boot
LP: 1069904
- [80fefe5] use_single_default_gateway does not function correctly
(LP: #1075859)
- [bd10241] Essex 2012.1.3 : Error deleting instance with 2 Nova Volumes
attached (LP: #1079745)
- [86a5937] do_refresh_security_group_rules in nova.virt.firewall is very
slow (LP: #1062314)
- [ae9c5f4] deallocate_fixed_ip attempts to update an already deleted
fixed_ip (LP: #1017633)
- [20f98c5] failed to allocate fixed ip because old deleted one exists
(LP: #996482)
- [75f6922] snapshot stays in saving state if the vm base image is deleted
(LP: #921774)
- [1076699] lock files may be removed in error dues to permissions issues
(LP: #1051924)
- [40c5e94] ensure_default_security_group() does not call sgh (LP: #1050982)
- [4eebe76] At termination, LXC rootfs is not always unmounted before
rmtree() is called (LP: #1046313)
- [47dabb3] Heavily loaded nova-compute instances don't sent reports
frequently enough (LP: #1045152)
- [b375b4f] When attach volume lost attach when node restart (LP: #1004791)
- [4ac2dcc] nova usage-list returns wrong usage (LP: #1043999)
- [014fcbc] Bridge port's hairpin mode not set after resuming a machine
(LP: #1040537)
- [2f35f8e] Nova flavor ephemeral space size reported incorrectly
(LP: #1026210)
* Dropped, superseeded by new snapshot:
- debian/patches/CVE-2013-0335.patch: [48e81f1]
- debian/patches/CVE-2013-1838.patch: [efaacda]
- debian/patches/CVE-2013-1664.patch: [c0a10db]
- debian/patches/CVE-2013-0208.patch: [243d516]
-- Yolanda <yolanda.robla@xxxxxxxxxxxxx> Mon, 22 Apr 2013 12:37:08
+0200
** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0208
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0335
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1664
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1838
** Changed in: nova (Ubuntu Precise)
Status: In Progress => Fix Released
** Changed in: nova (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1091939
Title:
nova-network applies too liberal a SNAT rule
Status in OpenStack Compute (Nova):
Invalid
Status in “nova” package in Ubuntu:
Fix Released
Status in “nova” source package in Precise:
Fix Released
Bug description:
Version: 2012.1.3+stable-20120827-4d2a4afe-0ubuntu1
We recently set up a new Nova cluster on precise + essex with Juju and
MaaS, and ran into a problem where instances could not communicate
with the swift-proxy node on the MaaS network. This turned out to be
due to nova-network installing a SNAT rule for the cluster's public IP
that applied to all network traffic, not just that traffic destined to
exit towards the Internet.
This problem has been fixed upstream in
https://github.com/openstack/nova/commit/959c93f6d3572a189fc3fe73f1811c12323db857
Please consider applying this change to Ubuntu 12.04 LTS in an SRU.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1091939/+subscriptions
