PublicDateAtUSN: 2015-09-08
Candidate: CVE-2015-3241
PublicDate: 2015-09-08 15:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3241
 http://lists.openstack.org/pipermail/openstack-announce/2015-August/000563.html
 https://ubuntu.com/security/notices/USN-3449-1
Description:
 OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier
 does not stop the migration process when the instance is deleted, which
 allows remote authenticated users to cause a denial of service (disk,
 network, and other resource consumption) by resizing and then deleting an
 instance.
Ubuntu-Description:
Notes:
 mdeslaur> from announcement: "This fix requires oslo.concurrency >= 1.8.2
 mdeslaur> for Kilo and >= 2.3.0 for Liberty. Juno fix embeds a patched
 mdeslaur> version of oslo.concurrency."
Bugs:
 https://launchpad.net/bugs/1387543
Priority: medium
Discovered-by: George Shuklin
Assigned-to: mdeslaur
CVSS: 

Patches_nova:
 upstream: https://review.openstack.org/208876 (Juno)
 upstream: https://review.openstack.org/214528 (Juno)
 upstream: https://review.openstack.org/213234 (Kilo)
 upstream: https://review.openstack.org/209856 (Kilo)
 upstream: https://review.openstack.org/194861 (Liberty)
 upstream: https://review.openstack.org/192986 (Liberty)
upstream_nova: released (2014.2.4,2015.1.2)
precise_nova: ignored (reached end-of-life)
precise/esm_nova: DNE (precise was needed)
trusty_nova: released (1:2014.1.5-0ubuntu1.7)
trusty/esm_nova: DNE (trusty was released [1:2014.1.5-0ubuntu1.7])
utopic_nova: ignored (reached end-of-life)
vivid_nova: not-affected (1:2015.1.2-0ubuntu1)
vivid/stable-phone-overlay_nova: DNE
vivid/ubuntu-core_nova: DNE
wily_nova: not-affected (2:12.0.0-0ubuntu2)
xenial_nova: not-affected (2:12.0.0-0ubuntu2)
esm-infra/xenial_nova: not-affected (2:12.0.0-0ubuntu2)
yakkety_nova: not-affected (2:12.0.0-0ubuntu2)
zesty_nova: not-affected (2:12.0.0-0ubuntu2)
devel_nova: not-affected (2:12.0.0-0ubuntu2)