Is there an Openstack patch for the Venom vuln? Do we need to patch qemu manually?

asked 2015-05-14 11:58:46 -0600

pangalactic gravatar image

Question posted kinda says it all... is there a patch or even an announcement of versions affected? This whas been out for more than 24 hours, and I don't see any response from http://Openstack.org. Redhat has patches for it's version, but I'd like to see one from the source...

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
2

answered 2015-05-14 16:12:47 -0600

smaffulli gravatar image

Venom is not a vulnerability in OpenStack software, it's a vulnerability in some software commonly used alongside openstack. we aren't the ones who provide fixes for it.

Fixes come from the xen project, possibly by way of distributions packaging the software specifically in the form of patches to or patched versions of qemu.

There is a discussion going on the Operators mailing list that you may want to follow.

edit flag offensive delete link more

Comments

To clarify, you should obtain fixed versions of qemu from wherever you got your original versions of qemu. The OpenStack project doesn't write, maintain or distribute qemu itself.

fungi gravatar imagefungi ( 2015-05-14 17:22:04 -0600 )edit
2

answered 2015-05-14 18:01:03 -0600

lhinds gravatar image

updated 2015-05-14 18:07:00 -0600

You should go to the linux dist maintainer, as qemu (which hosts the exploit code) is part of the Linux kernel, and each distributor will package their own patch.

For example here is the fix in qemu's git repository http://git.qemu.org/?p=qemu.git;a=com...

And here is the fix packaged by redhat https://access.redhat.com/articles/14...

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-05-14 11:58:46 -0600

Seen: 206 times

Last updated: May 14 '15