Updated OpenStack Orchestration packages that fix one security issue andtwo bugs are now available for Red Hat Enterprise Linux OpenStackPlatform 5.0 (Icehouse) for RHEL 6.Red Hat Product Security has rated this update as having Moderate securityimpact.

Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.
OpenStack Orchestration (heat) is a template-driven engine used to specifyand deploy configurations for Compute, Storage, and OpenStack Networking.It can also be used to automate post-deployment actions, which in turnallows automated provisioning of infrastructure, services, andapplications. Orchestration can also be integrated with Telemetry alarms toimplement auto-scaling for certain infrastructure resources.A vulnerability was discovered in the OpenStack Orchestrationservice (heat), where a specially formatted template could be used totrick the heat-engine service into opening a local file.

Although thefile contents are never disclosed to the end user, an OpenStack-authenticated attacker could use this flaw to cause a denial of serviceor determine whether a given file name is present on the server.(CVE-2015-5295)This issue was discovered by Steven Hardy of Red Hat.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258Red Hat OpenStack 5.0 for RHEL 6

SRPMS:
openstack-heat-2014.1.5-7.el6ost.src.rpm
    MD5: feda48c9bb9f3ac26da4ef4997f6d3b2SHA-256: 50dcdcb0d85eec9d6361fb3335c6421907c6f8e766912809399047abcd73fe38
 
x86_64:
openstack-heat-api-2014.1.5-7.el6ost.noarch.rpm
    MD5: a68501362c3f50d707b0891ce1908936SHA-256: fb9041a24c801405905e3ee41e07e8483adaebd8d31d5fd747c55e85720c8bdb
openstack-heat-api-cfn-2014.1.5-7.el6ost.noarch.rpm
    MD5: 71ff2d575d410d4d43acf3fa7cf0c3d2SHA-256: 2747bdc40593fd68180745b4599b37f1191580984142baf6cf5b025bf127b73f
openstack-heat-api-cloudwatch-2014.1.5-7.el6ost.noarch.rpm
    MD5: ec9889c01044d5beebffdbc88597bc56SHA-256: a40bb3ea9b7e738c8446440aa24f184917fd3c75c983540050a5532ad09f56d9
openstack-heat-common-2014.1.5-7.el6ost.noarch.rpm
    MD5: c8b00ab6ff0f471c15b2102e50103d1bSHA-256: b1306835fe599479c974c5c9e88ce1395613f950b4487089f7dd8a08a61941c0
openstack-heat-engine-2014.1.5-7.el6ost.noarch.rpm
    MD5: f84783960d804b83581acd072212975bSHA-256: 4cf7fc97d630b25e670bab27b69949d5bd4a078dbe10df21917d4890d0dcd9fb
 
(The unlinked packages above are only available from the Red Hat Network)

1298295 – CVE-2015-5295 openstack-heat: Vulnerability in Heat template validation leading to DoS1304075 – [heat] oslo.messaging holds connections when replies fail

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: