[OSSN-0086] erratum: Dell EMC ScaleIO/VxFlex OS Backend Credentials Exposure

Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[OSSN-0086] erratum: Dell EMC ScaleIO/VxFlex OS Backend Credentials Exposure

Brian Rosmaita-2
As you may recall, the fix for this issue required patches for both
Cinder and the os-brick library.

The original patch for os-brick contained a flaw [0] that prevented the
scaleio connector from operating when run under Python 2.7.  Thus for
OpenStack releases supporting Python 2.7 (that is, Train and earlier), a
second os-brick patch is required and is listed below.  (The Cinder and
first os-brick patch are unchanged, but are listed below for completeness).

[0] https://bugs.launchpad.net/os-brick/+bug/1883654


#### Patches ####

Queens
* cinder: https://review.opendev.org/733110
* os-brick: https://review.opendev.org/733104
             and https://review.opendev.org/736749

Rocky
* cinder: https://review.opendev.org/733109
* os-brick: https://review.opendev.org/733103
             and https://review.opendev.org/736415

Stein
* cinder: https://review.opendev.org/733108
* os-brick: https://review.opendev.org/733102
             and https://review.opendev.org/736395

Train
* cinder: https://review.opendev.org/733107
* os-brick: https://review.opendev.org/733100
             and https://review.opendev.org/735989

Updated releases of os-brick incorporating the second patch are now
available:
Stein: os-brick 2.8.6
Train: os-brick 2.10.4

Point releases of cinder for Stein and Train will be made as soon as
possible.  These will be:
Stein: cinder 14.1.1, requires os-brick 2.8.6
Train: cinder 15.2.1, requires os-brick 2.10.4


### Contacts / References ###
Author: Brian Rosmaita, Red Hat
OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0086
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1823200
Mailing List : [Security] tag on [hidden email]
OpenStack Security Project : https://launchpad.net/~openstack-ossg
CVE: CVE-2020-10755

_______________________________________________
OpenStack-announce mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce