Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Aug 2014 10:59:39 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request for vulnerability in OpenStack Glance

On 08/19/2014 10:43 AM, Tristan Cacqueray wrote:
> A vulnerability was discovered in OpenStack (see below). In order to
> ensure full traceability, we need a CVE number assigned that we can
> attach to further notifications. This issue is already public, although
> an advisory was not sent yet.
> 
> Title: Glance store DoS through disk space exhaustion
> Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
> Products: Glance
> Versions: up to 2013.2.3 and 2014.1 to 2014.1.1
> 
> Description:
> Thomas Leaman and Stuart McLaren from Hewlett Packard reported a
> vulnerability in Glance. By uploading a large enough image to a Glance
> store, an authenticated user may fill the store space because the
> image_size_cap configuration option is not honored. This may prevent
> further image upload and/or cause service disruption. Note that the
> import method is not affected. All Glance setups using API v2 are
> affected (unless you use a policy to restrict/disable image upload).
> 
> References:
> https://launchpad.net/bugs/1315321
> 
> Thanks in advance,
> 

Oups, an error slipped in the CVE request, affected versions did not
include the recent 2014.1.2 that is also vulnerable:

Versions: up to 2013.2.3 and 2014.1 to 2014.1.2


Sorry for the confusion!

--
Tristan Cacqueray
OpenStack Vulnerability Management Team


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ