Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 29 Jan 2013 21:07:06 +0100
From: Thierry Carrez <thierry@...nstack.org>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, 
 oss-security@...ts.openwall.com, openstack-announce@...ts.openstack.org
Subject: [OSSA 2013-002] Backend password leak in Glance error message (CVE-2013-0212)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-002
CVE: CVE-2013-0212
Date: January 29, 2013
Title: Backend password leak in Glance error message
Reporter: Dan Prince (Red Hat)
Products: Glance
Affects: All versions

Dan Prince of Red Hat discovered an issue in Glance error reporting. By
creating an image in Glance by URL that references a mis-configured
Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image
references for any reason becomes unusable, an authenticated user may
access the Glance operator's Swift credentials for that endpoint. Only
setups that use the single-tenant Swift store are affected.

Grizzly (development branch) fix:
http://github.com/openstack/glance/commit/e96273112b5b5da58d970796b7cfce04c5030a89

Folsom fix (included in upcoming Glance 2012.2.3 stable update):
http://github.com/openstack/glance/commit/96a470be64adcef97f235ca96ed3c59ed954a4c1

Essex fix:
http://github.com/openstack/glance/commit/37d4d96bf88c2bf3e7e9511b5e321cf4bed364b7

References:
https://bugs.launchpad.net/glance/+bug/1098962
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0212

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRCCvqAAoJEFB6+JAlsQQj9scP/1bQzhQ5lA/jNoPIPMlUKOr4
NlrT9+QA6pF3xOjTQeyViTTUfMn1YHdOTS8bi/NeSlL3UuEhpdCb59APwqmZva3u
Tx+so6L3nc5qNRdDAAr6oNBYmD08T41ceLpzjv9BbTgPxD4gUCg9WeySBAa+I7MU
1w1hvhObhQWZ8Xvqf/2tKTrMpGuJOS/0aoMSQUMqFR47moyYgBznNT6J3FaC3haE
jRh4RSv7XKN2MU0Cv05m/txXNUTP6rtl+qAiGW9UZvhTHY/kafaJLi/HuGkmANf0
fkuoKL5VxFYoIbHDlJ+ymPUz/jgoZJNkvvmS5mQH7YFBdgAvzAIAYJ4jk8uOMMmo
AHqaVdfZYCWRP6pMDzjnU5EGhRrgt2RafWsnU8MyYePrF3G8dcikvQlIki+PlmPT
+zXjPoIsirFJh3XSTRNbUDwIww6AuBbhxgJD78NhQY/12MC5zELOasWcpTKPyvLs
HTIe8AbVLf5Z0blZdUZHGlzFBQlgPU3ydIjY1UStWPYNCQs2hTrtoq9y68LmDzix
jRQ3jmKhMGsLwlrcskSyD/1qGGD6NNPRJwME7pXspy7mBlN0LS9OLRwhYHTzNGwx
YTSKhy12xooqYkaJncZEduTBKwMJLMwk/HZxD7KRuKPM7xoK64mkyz/03rUsQORj
na6Kqw9rcPfJG0jfh3/c
=PyUp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.