yahoo-eng-team team mailing list archive

[Jeremy Stanley <fungi@xxxxxxxxxxx>]

Since this definitely will benefit from a broader discussion and there's
no benefit to keeping the report private, I've switched it to public
security for now.

I feel like this doesn't actually describe a vulnerability which would
get fixes backported to old releases, but rather a security hardening
opportunity for upcoming releases. Regardless, it's worth getting
additional input from whichever folks are going to be designing the
solution to this.

** Information type changed from Private Security to Public Security

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1837339

Title:
  CIDR's of the form 12.34.56.78/0 should be an error

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  The problem is that some users do not understand how CIDRs work, and
  incorrectly use /0 when they are trying to specify a single IP or a
  subnet in an Access Rule.  Unfortunately 12.34.56.78/0 means the same
  thing as 0.0.0.0/0.

  The proposed fix is to insist that /0 only be used with 0.0.0.0/0 and
  the IPv6 equivalent ::/0 when entering or updating Access Rule CIDRs
  in via the dashboard.

  I am labeling this as a security vulnerability since it leads to naive
  users creating instances with ports open to the world when they didn't
  intend to do that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1837339/+subscriptions