The openstack-heat packages provide heat, a Python implementation of the
OpenStack Orchestration engine, to launch multiple composite cloud
applications based on templates.
It was found that heat did not properly enforce cloudformation-compatible
API policy rules. An in-instance attacker could use the CreateStack or
UpdateStack methods to create or update a stack, resulting in a violation
of the API policy. Note that only setups using Orchestration’s
cloudformation-compatible API were affected. (CVE-2013-6426)
A flaw was found in the way Orchestration’s REST API implementation handled
modified request paths. An authenticated remote user could use this flaw to
bypass the tenant-scoping restriction by modifying the request path,
resulting in privilege escalation. Note that only setups using
Orchestration’s cloudformation-compatible API were affected.
(CVE-2013-6428)
Red Hat would like to thank Jeremy Stanley of the OpenStack Project for
reporting these issues. Upstream acknowledges Steven Hardy of Red Hat as
the original reporter.
The openstack-heat packages have been upgraded to upstream version
2013.2.1, which provides a number of bug fixes and enhancements over the
previous version. The most notable fixes and enhancements are:
Auto-scaling has been fixed when AdjustmentType was set to
PercentChangeInCapacity.
A QPID broker restart no longer permanently disrupts subscribed clients.
RPC requests are now only serviced by one server in a given topic group.
Auto-scaling group growth or shrinkage has been fixed to utilize the full
available size, regardless of the scaling policy adjustment.
(BZ#1045430)
This update also fixes the following bugs:
The outdated heat-db-setup tool, which only supported local installs, has
been removed. The Red Hat Enterprise Linux OpenStack Platform 4
Installation and Configuration Guide has been updated to show how to create
the necessary database and associated tables for Orchestration, allowing
the deployment of the database server on a local or remote system (see
Installing the OpenStack Orchestration Service). (BZ#1046326)
The heat-engine source code had a hard-coded reference to a Fedora image
name in the implementation of the AWS-compatible LoadBalancer resource.
This meant that you could not specify an alternative LoadBalancer image
name in deployments (for example, Red Hat Enterprise Linux). A new option
has been added to the Orchestration configuration file,
/etc/heat/heat.conf, which is named loadbalancer_template. The new
loadbalancer_template option can now be used to specify an alternate
LoadBalancer template that contains a different image name. (BZ#1048215)
Due to a packaging error, the heat-manage tool was not working properly
(which prohibited a successful database creation). This error has been
fixed by moving the parallel package selection code so that all
Orchestration tools now use the proper packages for use at runtime.
(BZ#1048335)
All openstack-heat users are advised to upgrade to these updated packages,
which correct these issues and add these enhancements.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | src | openstack-heat | < 2013.2.1-4.el6ost | openstack-heat-2013.2.1-4.el6ost.src.rpm |
RedHat | 6 | noarch | openstack-heat-api | < 2013.2.1-4.el6ost | openstack-heat-api-2013.2.1-4.el6ost.noarch.rpm |
RedHat | 6 | noarch | openstack-heat-engine | < 2013.2.1-4.el6ost | openstack-heat-engine-2013.2.1-4.el6ost.noarch.rpm |
RedHat | 6 | noarch | openstack-heat-common | < 2013.2.1-4.el6ost | openstack-heat-common-2013.2.1-4.el6ost.noarch.rpm |
RedHat | 6 | noarch | openstack-heat-api-cfn | < 2013.2.1-4.el6ost | openstack-heat-api-cfn-2013.2.1-4.el6ost.noarch.rpm |
RedHat | 6 | noarch | openstack-heat-api-cloudwatch | < 2013.2.1-4.el6ost | openstack-heat-api-cloudwatch-2013.2.1-4.el6ost.noarch.rpm |