Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2016 17:00:13 +0000
From: Tristan Cacqueray <>
Subject: [OSSA 2016-003] Heat denial of service through template-validate

OSSA-2016-003: Heat denial of service through template-validate

:Date: January 19, 2016
:CVE: CVE-2015-5295

- Heat: <=2015.1.2, ==5.0.0

Steven Hardy from Red Hat reported a vulnerability in Heat template
validation. By referencing a local file like /dev/zero, an
authenticated user may trick the heat engine service to load arbitrary
local file content resulting in a Denial of Service attack through
memory exhaustion. Note that the file content is not written back to
the user, though the user can determine if a file exists and if it is
readable by heat-engine. All Heat setups are affected.

- (Kilo)
- (Liberty)
- (Mitaka)

- Steven Hardy from Red Hat (CVE-2015-5295)


- This fix will be included in future 2015.1.3 (kilo) and 5.0.1
  (liberty) releases.

Tristan Cacqueray
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ