Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 09 Nov 2012 00:52:34 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Russell Bryant <rbryant@...hat.com>
Subject: Re: Re: [OSSA 2012-017] Authentication bypass for
 image deletion (CVE-2012-4573)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/08/2012 03:52 PM, Russell Bryant wrote:
> On 11/07/2012 05:10 PM, Russell Bryant wrote:
>> OpenStack Security Advisory: 2012-017 CVE: CVE-2012-4573 Date:
>> November 7, 2012 Title: Authentication bypass for image deletion 
>> Impact: High Reporter: Gabe Westmaas (Rackspace) Products:
>> Glance Affects: Essex, Folsom, Grizzly
>> 
>> Description: Gabe Westmaas from Rackspace reported a
>> vulnerability in Glance authentication of image deletion
>> requests. Authenticated users may be able to delete arbitrary,
>> non-protected images from Glance servers. Only Folsom/Grizzly
>> deployments that expose the v1 API are affected by this 
>> vulnerability. Additionally, Essex deployments that use the 
>> delayed_delete option are also affected.
>> 
>> Fixes: Grizzly: 
>> https://github.com/openstack/glance/commit/6ab0992e5472ae3f9bef0d2ced41030655d9d2bc
>>
>> 
2012.2 (Folsom):
>> https://github.com/openstack/glance/commit/90bcdc5a89e350a358cf320a03f5afe99795f6f6
>>
>> 
2012.1 (Essex): https://review.openstack.org/#/c/15562/
>> 
>> References: 
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4573 
>> https://bugs.launchpad.net/glance/+bug/1065187
>> 
>> Notes: This fix will be included in the grizzly-1 development
>> milestone and in a future 2012.2 (Folsom) release.
>> 
> 
> There have been some important updates that have occurred since
> the publication of this advisory:
> 
> 1) When the advisory was published, the patch for the stable/essex 
> branch had not been merged.  It has now been merged and is
> *different* than the original patch.  If you pulled the earlier
> patch, please update to the final version.
> 
> https://github.com/openstack/glance/commit/efd7e75b1f419a52c7103c7840e24af8e5deb29d
>
>  2) It was discovered that the patches submitted for stable/folsom
> and master (grizzly) did not completely solve the problem.  The
> original patch only fixed the problem for the v1 API.  The problem
> still existed for the v2 API.  Please see this commit for the
> additional patch:
> 
> bug: https://bugs.launchpad.net/glance/+bug/1076506
> 
> stable/folsom: 
> https://github.com/openstack/glance/commit/fc0ee7623ec59c87ac6fc671e95a9798d6f2e2c3
>
>  master: 
> https://github.com/openstack/glance/commit/b591304b8980d8aca8fa6cda9ea1621aca000c88

This
> 
needs a new CVE since the previous one wasn't fully fixed in the
patches.  Please use CVE-2012-5482 for this new/updated fix.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQnLZBAAoJEBYNRVNeJnmT2fAQAKy9dz3sbm67XHv5ngNWeL5x
pKgzM6VO+LAtI0Im5IZVRy6D8OQA22WnQILuVeD4Wh25k/gsVs1Krg+Ox8cUsNNr
uJp8CkvK0nZspTk7rSjSf14twohcst9HeYPK5M7n2VHwO2VLc0crgJuSvMxIsnco
2qrUKxf7mLQCqBxEHMaLrDMSwspEIEQcTmX6vU/iylEelgwmuFklPRHreA5PBy8R
I/hDttMsT51+AcPVLcrIbnApBqLaZCfpveDP527NjC4Zz8SzJNtv7Jky4dv1BUfv
hiUYVbwzLNrtUifqHMshTZ9MGBRvh6QTMTJvrqbjK79Gh0Yz+XdX3dm+EWnXXVXA
HxdaMvnehaoawkMKoLBQl+mk3F9O4TacG6XtKWc3aaOnsGJZJ9orfxaVYq3F4NVb
uV2fjhFaydNjn0T5s1TPOnjXu8BtU8BJIMiSxtIieXseeO7MLyftjsbvaoY2X6R3
9zceGOMkh04c+Ug5r2Xu4to4sG/I2/TmOQ1LojRHLB02y5YsLntNCogI7ceMYjID
nJOsqXbA3d6jBTCTuA1ddADcn5s9KPpBIpZO0SRC+pTJABZo+/KIz4xOMbrr5Y9B
WLZ1bVKehTHUDvSq6cKPUNWvYj+5OiRFTLfaouNTCFUgVqS1dxfozcWh6uANcueP
ZHnn8wt9aabfsHpdaiOv
=3rlD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ