Bugzilla – Bug 861486
VUL-0: CVE-2013-6491: openstack-nova: QPID SSL configuration
Last modified: 2014-02-19 21:20:58 UTC
JuanFra Rodriguez Cardoso reported the following openstack-nova issue: By default, TCP is used as transport for QPID connections. If you like to enable SSL, there is a flat 'qpid_protocol = ssl' available in nova.conf. However, python-qpid client is awaiting transport type instead of protocol. It seems to be a bug: Solution: (https://github.com/openstack/nova/blob/master/nova/openstack/common/rpc/impl_qpid.py#L323) WRONG: self.connection.protocol = self.conf.qpid_protocol CORRECT: self.connection.transport = self.conf.qpid_protocol CVE-2013-6491 was assigned to this issue. References: https://bugs.launchpad.net/oslo/+bug/1158807 https://bugzilla.redhat.com/show_bug.cgi?id=1059504
Security team: we don't ship QPID as messaging queue. Obviously people can still manually install QPID and manually change the configuration of openstack, but that would not be supported. With this context: do we care about backporting the fix?
bugbot adjusting priority
The fix looks quite simple, so maybe we should put this bug on the planed update list and fix it with the next serious bug. https://review.openstack.org/#/c/25157/2/openstack/common/rpc/impl_qpid.py If we are not using QPID at all, we shouldn't burden this on QA.
Further thinking brings me to close this as WONTFIX. As nova is only shipped inside a SUSE product, this CVE doesn't affect us here. Side note: openSUSE:12.3 not fixed yet openSUSE:13.1 already fixed
(In reply to comment #4) > Further thinking brings me to close this as WONTFIX. As nova is only shipped > inside a SUSE product, this CVE doesn't affect us here. I'll assume you forgot to close as WONTFIX. Please reopen if I was assuming wrong.