Date: Tue, 19 Aug 2014 10:43:23 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: CVE request for vulnerability in OpenStack Glance A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Glance store DoS through disk space exhaustion Reporter: Thomas Leaman (HP), Stuart McLaren (HP) Products: Glance Versions: up to 2013.2.3 and 2014.1 to 2014.1.1 Description: Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration option is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected (unless you use a policy to restrict/disable image upload). References: https://launchpad.net/bugs/1315321 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.