Date: Tue, 28 Jul 2015 08:27:23 -0700 From: Grant Murphy <grant.murphy@...com> To: oss-security@...ts.openwall.com Subject: [OSSA 2015-013] Glance task flow may fail to delete image from backend (CVE-2015-3289) ===================================================================== OSSA-2015-013: Glance task flow may fail to delete image from backend ===================================================================== :Date: July 28, 2015 :CVE: CVE-2015-3289 Affects ~~~~~~~ - Glance: versions 2015.1.0 Description ~~~~~~~~~~~ Abhishek Kekane from NTT reported a vulnerability in Glance. By creating numerous images using the import task flow API and deleting them, an authenticated attacker may accumulate untracked image data in the backend resulting in potential resource exhaustion and denial of service. All glance setups are affected. Patches ~~~~~~~ - https://review.openstack.org/#/c/181816/ (Kilo) - https://review.openstack.org/#/c/181345/ (Liberty) Credits ~~~~~~~ - Abhishek Kekane from NTT (CVE-2015-3289) References ~~~~~~~~~~ - https://launchpad.net/bugs/1454087 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3289 Notes ~~~~~ - This fix will be included in the future 2015.1.1 (kilo) release. [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ