Date: Tue, 19 Aug 2014 10:59:39 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request for vulnerability in OpenStack Glance On 08/19/2014 10:43 AM, Tristan Cacqueray wrote: > A vulnerability was discovered in OpenStack (see below). In order to > ensure full traceability, we need a CVE number assigned that we can > attach to further notifications. This issue is already public, although > an advisory was not sent yet. > > Title: Glance store DoS through disk space exhaustion > Reporter: Thomas Leaman (HP), Stuart McLaren (HP) > Products: Glance > Versions: up to 2013.2.3 and 2014.1 to 2014.1.1 > > Description: > Thomas Leaman and Stuart McLaren from Hewlett Packard reported a > vulnerability in Glance. By uploading a large enough image to a Glance > store, an authenticated user may fill the store space because the > image_size_cap configuration option is not honored. This may prevent > further image upload and/or cause service disruption. Note that the > import method is not affected. All Glance setups using API v2 are > affected (unless you use a policy to restrict/disable image upload). > > References: > https://launchpad.net/bugs/1315321 > > Thanks in advance, > Oups, an error slipped in the CVE request, affected versions did not include the recent 2014.1.2 that is also vulnerable: Versions: up to 2013.2.3 and 2014.1 to 2014.1.2 Sorry for the confusion! -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ