(RHSA-2014:0090) Moderate: openstack-heat security, bug fix, and enhancement update

The openstack-heat packages provide heat, a Python implementation of the
OpenStack Orchestration engine, to launch multiple composite cloud
applications based on templates.

It was found that heat did not properly enforce cloudformation-compatible
API policy rules. An in-instance attacker could use the CreateStack or
UpdateStack methods to create or update a stack, resulting in a violation
of the API policy. Note that only setups using Orchestration’s
cloudformation-compatible API were affected. (CVE-2013-6426)

A flaw was found in the way Orchestration’s REST API implementation handled
modified request paths. An authenticated remote user could use this flaw to
bypass the tenant-scoping restriction by modifying the request path,
resulting in privilege escalation. Note that only setups using
Orchestration’s cloudformation-compatible API were affected.
(CVE-2013-6428)

Red Hat would like to thank Jeremy Stanley of the OpenStack Project for
reporting these issues. Upstream acknowledges Steven Hardy of Red Hat as
the original reporter.

The openstack-heat packages have been upgraded to upstream version
2013.2.1, which provides a number of bug fixes and enhancements over the
previous version. The most notable fixes and enhancements are:

• Auto-scaling has been fixed when AdjustmentType was set to
  PercentChangeInCapacity.

• A QPID broker restart no longer permanently disrupts subscribed clients.

• RPC requests are now only serviced by one server in a given topic group.

• Auto-scaling group growth or shrinkage has been fixed to utilize the full
  available size, regardless of the scaling policy adjustment.

(BZ#1045430)

This update also fixes the following bugs:

• The outdated heat-db-setup tool, which only supported local installs, has
  been removed. The Red Hat Enterprise Linux OpenStack Platform 4
  Installation and Configuration Guide has been updated to show how to create
  the necessary database and associated tables for Orchestration, allowing
  the deployment of the database server on a local or remote system (see
  Installing the OpenStack Orchestration Service). (BZ#1046326)

• The heat-engine source code had a hard-coded reference to a Fedora image
  name in the implementation of the AWS-compatible LoadBalancer resource.
  This meant that you could not specify an alternative LoadBalancer image
  name in deployments (for example, Red Hat Enterprise Linux). A new option
  has been added to the Orchestration configuration file,
  /etc/heat/heat.conf, which is named loadbalancer_template. The new
  loadbalancer_template option can now be used to specify an alternate
  LoadBalancer template that contains a different image name. (BZ#1048215)

• Due to a packaging error, the heat-manage tool was not working properly
  (which prohibited a successful database creation). This error has been
  fixed by moving the parallel package selection code so that all
  Orchestration tools now use the proper packages for use at runtime.
  (BZ#1048335)

All openstack-heat users are advised to upgrade to these updated packages,
which correct these issues and add these enhancements.