Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 29 May 2014 19:47:54 +0000
From: Jeremy Stanley <jeremy@...nstack.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-017] Nova VMWare driver leaks rescued images
 (CVE-2014-2573)

OpenStack Security Advisory: 2014-017
CVE: CVE-2014-2573
Date: May 29, 2014
Title: Nova VMWare driver leaks rescued images
Reporter: Jaroslav Henner (Red Hat)
Products: Nova
Versions: from 2013.2 to 2013.2.3, and 2014.1

Description:
Jaroslav Henner from Red Hat reported a vulnerability in Nova. By
requesting Nova place an image into rescue, then deleting the image,
an authenticated user my exceed their quota. This can result in a
denial of service via excessive resource consumption. Only setups
using the Nova VMWare driver are affected.

Juno (development branch) fix:
https://review.openstack.org/75788
https://review.openstack.org/80284

Icehouse fix:
https://review.openstack.org/88514
https://review.openstack.org/89217

Havana fix:
https://review.openstack.org/89762
https://review.openstack.org/89768

Notes:
This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2573
https://launchpad.net/bugs/1269418

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.