Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 15 Oct 2013 23:51:59 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request for a vulnerability in OpenStack Glance

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/15/2013 12:56 PM, Thierry Carrez wrote:
> A vulnerability was discovered in OpenStack (see below). In order
> to ensure full traceability, we need a CVE number assigned that we
> can attach to further notifications. This issue is already public, 
> although an advisory was not sent yet.
> 
> """ Title: Glance image_download policy not enforced for cached
> images Reporter: Stuart McLaren (HP) Products: Glance Affects:
> Folsom, Grizzly
> 
> Description: Stuart McLaren from HP reported a vulnerability in
> Glance download_image policy enforcement in the case of cached
> images. Deployers may opt to set a download_image policy to
> restrict image download to specific roles. However, when an image
> is previously cached by an authorized download, any authenticated
> user could download image contents if it can determine the image
> UUID, bypassing any download_image policy restrictions. This could
> result in disclosure of image contents that were thought to be
> protected by the download_image policy setting. Only setups making
> use of the download_image policy are affected. """
> 
> References: https://bugs.launchpad.net/glance/+bug/1235378
> 
> Thanks in advance,

Please use CVE-2013-4428 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSXil/AAoJEBYNRVNeJnmTVqEP/0fXr6PzYemb8RoW5fT0Lkdx
FSWtPR4Uflv6XLSig3M+g+kOli8Wmef8nZPH1O/caWxccSC9c93jMH/A3zvyYh22
hPrv5Q1Cxa3h2QSnlbnR6EUPs8lhROSlpsLSwA/DhDJfJNShOXPY6gw3ywYG0ZbS
Nsc1TT81L/1FIh6OuA2e9HM0EZVjtyDtol9iAxIeF2IsSg5gXxrYnu0PhzR8klwf
qZ33zLHKevSWOoij12BSnw97v02DLUx+c5qHlynEaJQCgceRVAGTRBIcFR+LrZ3u
c+p3WF51+ewM3PWnCbPaF9jupSle+Vy3yWkr7/cKqXEctAE6bNfPXd2Fo1DmAuQD
A37x2NfCONRMm0GIAcJHEKKOmfMX/TeQ3jBe/1UmnwHDPMUe3SY0M82x0/wKeMfT
8+uZ2v7wpyGggl3e3/yWxw1kmDXZ8uI29OsZUYKR6kfd15CumTpCjyx6gQ0PzGw4
1IhaikoxUV1kE8itZ0NTb8emHdz4UgpZjt2t5W5E2n7DEExdbFLkeVGkQ/WxiyEU
9mL0GU54LGWE4rNyUhG/wdcKpLKzGoadBc4y593besEhjkE1ITlprVS4zndd7a7L
It/VEk6JIyHwvZWRwwPjru05D4uz6Eu6tAvzKF40LiuCfhzzW+ynovHfdfDjUWse
bhtOYUW6yiIfoNC83yfO
=9gNj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ