Date: Tue, 15 Oct 2013 20:56:57 +0200 From: Thierry Carrez <thierry@...nstack.org> To: Open Source Security <oss-security@...ts.openwall.com> Subject: CVE request for a vulnerability in OpenStack Glance -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. """ Title: Glance image_download policy not enforced for cached images Reporter: Stuart McLaren (HP) Products: Glance Affects: Folsom, Grizzly Description: Stuart McLaren from HP reported a vulnerability in Glance download_image policy enforcement in the case of cached images. Deployers may opt to set a download_image policy to restrict image download to specific roles. However, when an image is previously cached by an authorized download, any authenticated user could download image contents if it can determine the image UUID, bypassing any download_image policy restrictions. This could result in disclosure of image contents that were thought to be protected by the download_image policy setting. Only setups making use of the download_image policy are affected. """ References: https://bugs.launchpad.net/glance/+bug/1235378 Thanks in advance, - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSXY/1AAoJEFB6+JAlsQQjzaQQAMA8y6U5MocsXSLbIduRruEl eu30WiUlpZFtrbHvsdxDuZdm0qH55cIAFLEnsvhtqcLCVMQz78/dYfNbH35awywc sT4t9kSuK05Ahx9j9J9GLO0Pw2krZP69ht3UphwrlbwyrbC9i1AwIhB8I1+BGNDo XnD/MvyHnKE4IYnXm4io2vhXEU4K92l8kRyqAgglmrZmOlgWINecXgbFalyNRMQZ FveYjv/4yODR2IAKCJIGKI3bF4GAions6dXAmyaMZ9Y6H08xS91sFgS7TqFraK9p W3OAbTglx12zdjGOh2KO8HC3C46g2JDTt6Vt1eYaaJDSZiWs3u1U+JI7ob5KuWEo xqRSVfPRNzdbO/NSJ80LbDFFrCfu61hO+HYmuLlCDs6Db1Wt0zIYjma2JtMsbl4L 5Semh3J0UcxwoRK5+pMmKuzJ+Q+Qbr8FNIAx4rHbCXnPRTAHnecd+5WFIzHAezuf wW2z5j7jHqofSmPDcaoEZsw9Ar6LE3Edf9L3li1D7A2klI+vULRsd+41SzH4WgG0 +SeNogL+2SH8dB8KCLYpxayBMr8iCvHhr8DohkLJfRRJy0+ib1avuilnq3xDTIZq BvrvcSoJS3CiJg51M29upGXjH5fOyu5zhAYdq6nF6srmx5Lqd8AHLbYu/uxcMwmp A6Nm2aQI48wT5J3gJ21i =uDpa -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ