Bugzilla – Bug 1105476
VUL-0: CVE-2017-15139: openstack-cinder: Data retained after deletion of a ScaleIO volume
Last modified: 2020-05-12 18:25:36 UTC
Certain storage volume configurations allow newly created volumes to contain previous data. This could lead to leakage of sensitive information between tenants.
Affected Services / Software
Cinder releases up to and including Queens with ScaleIO volumes using thin volumes and zero padding.
upstream bug not merged yet
once this is done it can hopefully be backported down
merged in master, waiting on pike. Then i need to see if they will accept ocata and newton.
@Keith: Any progress on this?
Pike and Newton are done. Do we need Mitaka as well? That is where I am blocked currently.
@Keith: We don't have a Mitaka based product so from my perspective this is not required.
What about HOS4? Is that something we need to address
@Keith: Can you add the patch to https://build.opensuse.org/package/show/Cloud:OpenStack:Newton:Staging/openstack-cinder ?
The decision for HOS4 is up to Carter.
We can pick this up in HOS 4.0.9 when/if there is another update.
merging to Mitaka was shot down upstream so we wont be able to add it.
Rick can we do a GTM and you please show me how to do what you are asking for in comment https://bugzilla.suse.com/show_bug.cgi?id=1105476#c8 ?
patch added for Newton/SOC7. please close when ready
SUSE-SU-2019:0716-1: An update that solves one vulnerability and has four fixes is now available.
Category: security (moderate)
Bug References: 1089834,1105476,1116475,1119902,1124695
CVE References: CVE-2017-15139
SUSE OpenStack Cloud 7 (src): openstack-cinder-9.1.5~dev6-4.21.3, openstack-cinder-doc-9.1.5~dev6-4.21.3, openstack-horizon-plugin-designate-ui-3.0.2~dev1-3.9.3, openstack-neutron-9.4.2~dev21-7.27.3, openstack-neutron-doc-9.4.2~dev21-7.27.3, openstack-neutron-lbaas-9.2.2~dev11-4.15.3, openstack-neutron-lbaas-doc-9.2.2~dev11-4.15.3
The fix was merged upstream (https://review.opendev.org/#/c/601681/) and is also included in the code we ship (https://build.suse.de/package/show/SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/openstack-cinder), just checked.
(In reply to Nanuk Krinner from comment #18)
> The fix was merged upstream (https://review.opendev.org/#/c/601681/) and is
> also included in the code we ship
> Update/openstack-cinder), just checked.
Thanks Nanuk, I fixed our tracking. Closing