| Name | CVE-2019-10876 |
| Description | An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those security groups are present, because of an Open vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing neutron-openvswitch-agent are affected. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 926502 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| neutron (PTS) | jessie | 2014.1.3-12 | fixed |
| stretch (security), stretch (lts), stretch | 2:9.1.1-3+deb9u3 | fixed |
| buster, buster (security) | 2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1 | fixed |
| bullseye (security), bullseye | 2:17.2.1-0+deb11u1 | fixed |
| bookworm | 2:21.0.0-7 | fixed |
| trixie | 2:24.0.0-1 | fixed |
| sid | 2:24.0.0-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| neutron | source | jessie | (not affected) | | | |
| neutron | source | stretch | (not affected) | | | |
| neutron | source | (unstable) | 2:13.0.2-15 | | | 926502 |
Notes
[stretch] - neutron <not-affected> (Vulnerable code introduced later; Around Pike Openstack release)
[jessie] - neutron <not-affected> (Vulnerable code introduced later; Around Pike Openstack release)
https://bugs.launchpad.net/ossa/+bug/1813007
https://review.openstack.org/#/q/topic:bug/1813007