[Bug 1847243] Re: Update Octavia-* packages as per OSSA-2019-005 / CVE-2019-17134

Daniel 'f0o' Preussker 1847243 at bugs.launchpad.net
Thu Oct 10 07:52:03 UTC 2019 

Hi Marc,

I'm afraid a patch-fix will not work because amphora images are created
by the end-user using `diskimage-create.sh` which uses pip/git to pull
the agent.

Although I do understand that from a OS Maintainer's perspective this
patch solves the issue outlined in the CVE and keeps aligned to the
release versions.

I must add that from an Operator's perspective this will either break current setups:
An operator would create an image based on version 4.1.0 which is incompatible to 4.0.0 but is the earliest tag/release with the fix from upstream
- Or -
Remain being vulnerable by rebuilding a 4.0.0 tagged amphora-image which does not have the CVE fix and yet being suggested it would by the Ubuntu Advisory.

I looked at the way `diskimage-create.sh` creates the images for Ubuntu
and it does include a flag `'-p' install amphora-agent from distribution
packages (default: disabled)` but this is broken because it tries to use
`amphora-agent` as package and does not care about UCA.

I've poked the Octavia Development Team about this as well.

One possible solution to keeping a fixed release (4.0.0) and do patch-
updates for security is to provide Amphora-Images by Ubuntu directly.
This way you can assure that these images come with your package. The
drawback is that it needs a maintainer and causes labor on
Canonical/Ubuntu's side.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1847243

Title:
  Update Octavia-* packages as per OSSA-2019-005 / CVE-2019-17134

Status in Ubuntu Cloud Archive:
  In Progress
Status in Ubuntu Cloud Archive rocky series:
  In Progress
Status in Ubuntu Cloud Archive stein series:
  In Progress
Status in Ubuntu Cloud Archive train series:
  In Progress
Status in octavia package in Ubuntu:
  Fix Released
Status in octavia source package in Disco:
  In Progress
Status in octavia source package in Eoan:
  Fix Released

Bug description:
  Octavia packages in cloud-archive/queens, cloud-archive/rocky and
  cloud-archive/stein need updating.

  Fixes are committed to these versions:
  Queens: 2.1.2
  Rocky: 3.2.0
  Stein: 4.1.0

  With backports to:
  Pike: Git#2976a7f0f109e17930db8a61136526ead44ea7e5
  Ocata: Git#c2fdffc3b748f8007c72e52df257e38756923b40

  Reference:
  https://security.openstack.org/ossa/OSSA-2019-005.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1847243/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list