(RHSA-2013:0657) Moderate: openstack-nova security, bug fix, and enhancement update

The openstack-nova packages provide OpenStack Compute (code name Nova),
which provides services for provisioning, managing, and using virtual
machine instances.

A denial of service flaw was found in the Extensible Markup Language (XML)
parser used by Nova. A remote attacker could use this flaw to send a
specially-crafted request to a Nova API, causing Nova to consume an
excessive amount of CPU and memory. (CVE-2013-1664)

A flaw was found in the XML parser used by Nova. If a remote attacker
sent a specially-crafted request to a Nova API, it could cause Nova to
connect to external entities, causing a large amount of system load, or
allow an attacker to read files on the Nova server that are accessible to
the user running Nova. (CVE-2013-1665)

This update also fixes several bugs. The following are noteworthy changes:

• In single node, all-in-one environments where all services (such as
  Nova, Glance, and Keystone) are installed and run on a single system, after
  a host reboot, some instances may have automatically started again, but
  soon after, automatically shut down. “Instance shutdown by itself. Calling
  the stop API” messages were logged to Nova logs (in “/var/log/nova/”) in
  these cases. (BZ#890512)

• In environments using Quantum, after creating a network with two
  subnets, removing an IP address (using “nova remove-fixed-ip”), and then
  adding a fixed address (using “nova add-fixed-ip”), resulted in the
  virtual machine having two IP addresses. (BZ#908373)

• Prior to this update, after converting a downloaded image to raw, the
  original, downloaded image (a large .part file) was not removed. After
  installing this update, the following three options must be configured in
  “/etc/nova/nova.conf” to correctly resolve this issue:

remove_unused_base_images=true
remove_unused_resized_minimum_age_seconds=60
remove_unused_original_minimum_age_seconds=60

(BZ#911103)

Additionally, this update adds the following enhancement:

• The RHSA-2013:0658 openstack-cinder update implemented a Cinder driver
  that allows Red Hat Storage to be used as a back-end for Cinder volumes.
  This update adds a libvirt connector to Nova, which is a requirement for
  using the new Cinder driver. Note that you must manually install the
  glusterfs and glusterfs-fuse packages on the Nova nodes.

Additionally, when running Security-Enhanced Linux (SELinux) in Enforcing
mode, the latest selinux-policy packages provided by RHBA-2013:0618 must be
installed, otherwise denials will be logged when attempting to mount Red
Hat Storage volumes. (BZ#912384)

All users of openstack-nova are advised to upgrade to these updated
packages, which correct these issues and add this enhancement. After
installing the updated packages, the Nova running services will be
restarted automatically.