EPEL Status of openstack-nova
Anssi Johansson
epel at miuku.net
Sat Apr 12 07:33:50 UTC 2014
28.3.2014 10.36, Anssi Johansson kirjoitti:
> A number of openstack-nova security bugs were recently closed as WONTFIX:
>
>
> https://bugzilla.redhat.com/show_bug.cgi?id=956808
> /var/log/nova/ is world readable
>
> https://bugzilla.redhat.com/show_bug.cgi?id=961736
> CVE-2013-2030 insecure directory creation for signing
>
> https://bugzilla.redhat.com/show_bug.cgi?id=963728
> CVE-2013-2096 fails to verify image virtual size denial of service
>
> https://bugzilla.redhat.com/show_bug.cgi?id=994810
> CVE-2013-2256 private flavors resource limit circumvention
>
> https://bugzilla.redhat.com/show_bug.cgi?id=994817
> CVE-2013-4185 network source security groups denial of service
>
> https://bugzilla.redhat.com/show_bug.cgi?id=995173
> CVE-2013-4179 XML entities DoS
>
> https://bugzilla.redhat.com/show_bug.cgi?id=999277
> CVE-2013-4261 console-log DoS
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1040789
> CVE-2013-7048 insecure directory permissions in snapshots
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1057311
> CVE-2013-7130 Live migration can leak root disk into ephemeral storage
>
>
> The reason for WONTFIX was stated as "Openstack is not maintained in
> EPEL, newer versions of openstack for EPEL are kept in RDO".
>
> If there are no plans to continue maintaining openstack-nova in EPEL,
> the package should be removed from EPEL.
I'm still of the opinion that if a package in EPEL is no longer
maintained and it has known security issues, it should be removed from EPEL.
More information about the epel-devel
mailing list