← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1091939] Re: nova-network applies too liberal a SNAT rule

 

nova (2012.1.3+stable-20130423-e52e6912-0ubuntu1) precise-proposed;
urgency=low

  * Resynchronize with stable/essex (e52e6912) (LP: #1089488):
    - [48e81f1] VNC proxy can be made to connect to wrong VM LP: 1125378
    - [3bf5a58] snat rule too broad for some network configurations LP: 1048765
    - [efaacda] DOS by allocating all fixed ips LP: 1125468
    - [b683ced] Add nosehtmloutput as a test dependency.
    - [45274c8] Nova unit tests not running, but still passing for stable/essex
      LP: 1132835
    - [e02b459] vnc unit-test fixes
    - [87361d3] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [e98928c] VNC proxy can be made to connect to wrong VM LP: 1125378
    - [c0a10db] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
    - [243d516] No authentication on block device used for os-volume_boot
      LP: 1069904
    - [80fefe5] use_single_default_gateway does not function correctly
      (LP: #1075859)
    - [bd10241] Essex 2012.1.3 : Error deleting instance with 2 Nova Volumes
      attached (LP: #1079745)
    - [86a5937] do_refresh_security_group_rules in nova.virt.firewall is very
      slow (LP: #1062314)
    - [ae9c5f4] deallocate_fixed_ip attempts to update an already deleted
      fixed_ip (LP: #1017633)
    - [20f98c5] failed to allocate fixed ip because old deleted one exists
      (LP: #996482)
    - [75f6922] snapshot stays in saving state if the vm base image is deleted
      (LP: #921774)
    - [1076699] lock files may be removed in error dues to permissions issues
      (LP: #1051924)
    - [40c5e94] ensure_default_security_group() does not call sgh (LP: #1050982)
    - [4eebe76] At termination, LXC rootfs is not always unmounted before
      rmtree() is called (LP: #1046313)
    - [47dabb3] Heavily loaded nova-compute instances don't sent reports
      frequently enough (LP: #1045152)
    - [b375b4f] When attach volume lost attach when node restart (LP: #1004791)
    - [4ac2dcc] nova usage-list returns  wrong usage (LP: #1043999)
    - [014fcbc] Bridge port's hairpin mode not set after resuming a machine
      (LP: #1040537)
    - [2f35f8e] Nova flavor ephemeral space size reported incorrectly
      (LP: #1026210)
  * Dropped, superseeded by new snapshot:
    - debian/patches/CVE-2013-0335.patch: [48e81f1]
    - debian/patches/CVE-2013-1838.patch: [efaacda]
    - debian/patches/CVE-2013-1664.patch: [c0a10db]
    - debian/patches/CVE-2013-0208.patch: [243d516]

 -- Yolanda <yolanda.robla@xxxxxxxxxxxxx>  Mon, 22 Apr 2013 12:37:08
+0200


** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0208

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0335

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1664

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1838

** Changed in: nova (Ubuntu Precise)
       Status: In Progress => Fix Released

** Changed in: nova (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1091939

Title:
  nova-network applies too liberal a SNAT rule

Status in OpenStack Compute (Nova):
  Invalid
Status in “nova” package in Ubuntu:
  Fix Released
Status in “nova” source package in Precise:
  Fix Released

Bug description:
  Version: 2012.1.3+stable-20120827-4d2a4afe-0ubuntu1

  We recently set up a new Nova cluster on precise + essex with Juju and
  MaaS, and ran into a problem where instances could not communicate
  with the swift-proxy node on the MaaS network.  This turned out to be
  due to nova-network installing a SNAT rule for the cluster's public IP
  that applied to all network traffic, not just that traffic destined to
  exit towards the Internet.

  This problem has been fixed upstream in
  https://github.com/openstack/nova/commit/959c93f6d3572a189fc3fe73f1811c12323db857

  Please consider applying this change to Ubuntu 12.04 LTS in an SRU.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1091939/+subscriptions