Date: Thu, 29 May 2014 19:47:54 +0000 From: Jeremy Stanley <jeremy@...nstack.org> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-017] Nova VMWare driver leaks rescued images (CVE-2014-2573) OpenStack Security Advisory: 2014-017 CVE: CVE-2014-2573 Date: May 29, 2014 Title: Nova VMWare driver leaks rescued images Reporter: Jaroslav Henner (Red Hat) Products: Nova Versions: from 2013.2 to 2013.2.3, and 2014.1 Description: Jaroslav Henner from Red Hat reported a vulnerability in Nova. By requesting Nova place an image into rescue, then deleting the image, an authenticated user my exceed their quota. This can result in a denial of service via excessive resource consumption. Only setups using the Nova VMWare driver are affected. Juno (development branch) fix: https://review.openstack.org/75788 https://review.openstack.org/80284 Icehouse fix: https://review.openstack.org/88514 https://review.openstack.org/89217 Havana fix: https://review.openstack.org/89762 https://review.openstack.org/89768 Notes: This fix will be included in the juno-1 development milestone and in future 2013.2.4 and 2014.1.1 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2573 https://launchpad.net/bugs/1269418 -- Jeremy Stanley OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.