yahoo-eng-team team mailing list archive

[OpenStack Infra <1818385@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/642145
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4350ed3c3556388eaa7f8623ed05b5adc86e9c16
Submitter: Zuul
Branch:    master

commit 4350ed3c3556388eaa7f8623ed05b5adc86e9c16
Author: Brian Haley <bhaley@xxxxxxxxxx>
Date:   Fri Mar 8 15:24:24 2019 -0500

    Better handle ports in security groups
    
    After taking a closer look at bug 1818385, I found a couple
    of follow-on things to fix in the security group code.
    
    First, there are very few protocols that accept ports,
    especially via iptables.  For this reason I think it's
    acceptable that the API rejects them as invalid.
    
    Second, UDPlite has some interesting support in iptables.  It
    does not support using --dport directly, but does using
    '-m multiport --dports 123', and also supports port ranges using
    '-m multiport --dports 123:124'.  Added code for this special
    case.
    
    Change-Id: Ifb2e6bb6c7a2e2987ba95040ef5a98ed50aa36d4
    Closes-Bug: #1818385


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1818385

Title:
  It's possible to add a security group rule for VRRP with a dport
  (CVE-2019-9735)

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Triaged

Bug description:
  This command should be invalid, but Neutron (Rocky) allows it to be created.
  > openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112

  Since iptables does not allow dst-port being passed. It would trigger the following error on the compute and fail to apply any future iptable rules.
  > unknown option "--dport"

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1818385/+subscriptions