yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #22489
[Bug 1357379] Re: [OSSA 2014-031] policy admin_only rules not enforced when changing value to default (CVE-2014-6414)
** Changed in: ossa
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1357379
Title:
[OSSA 2014-031] policy admin_only rules not enforced when changing
value to default (CVE-2014-6414)
Status in OpenStack Neutron (virtual network service):
Fix Committed
Status in neutron havana series:
Invalid
Status in neutron icehouse series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Bug description:
If a non-admin user tries to update an attribute, which should be
updated only by admin, from a non-default value to default, the
update is successfully performed and PolicyNotAuthorized exception is
not raised.
The reason is that when a rule to match for a given action is built
there is a verification that each attribute in a body of the resource
is present and has a non-default value. Thus, if we try to change some
attribute's value to default, it is not considered to be explicitly
set and a corresponding rule is not enforced.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1357379/+subscriptions
References