Date: Thu, 10 Apr 2014 19:20:18 +0200 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-012] Remote code execution in Glance Sheepdog backend (CVE-2014-0162) OpenStack Security Advisory: 2014-012 CVE: CVE-2014-0162 Date: April 10, 2014 Title: Remote code execution in Glance Sheepdog backend Reporter: Paul McMillan (Nebula) Products: Glance Versions: from 2013.2 to 2013.2.3 Description: Paul McMillan from Nebula reported a vulnerability in Glance Sheepdog backend. By using a specially crafted location, a user allowed to insert or modify Glance image metadata may trigger code execution on the Glance host as the user the Glance service runs under. This may result in Glance host unauthorized access and further compromise of the Glance service. All setups using Glance server with the (enabled by default) sheepdog backend are affected. Juno (development branch) fix: https://review.openstack.org/86622 Icehouse (milestone-proposed branch) fix: https://review.openstack.org/86625 Havana fix: https://review.openstack.org/86626 Notes: This fix will be included in the icehouse-rc2 development milestone and in a future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0162 https://launchpad.net/bugs/1298698 -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.