Your message dated Wed, 21 Jan 2015 16:48:31 +0000 with message-id <[email protected]> and subject line Bug#775926: fixed in glance 2014.1.3-11 has caused the Debian Bug report #775926, regarding CVE-2015-1195: Glance still allows users to download and delete any file in glance-api server to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 775926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775926 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: glance Version: 2014.1.3-10 Severity: critical Tags: security patch Title: Glance v2 API unrestricted path traversal through filesystem:// scheme Reporter: Jin Liu (EMC) Products: Glance Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.1 Description: Jin Liu from EMC reported that path traversal vulnerabilities in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw. Kilo (development branch) fix: https://review.openstack.org/145640 Juno fix: https://review.openstack.org/145916 Icehouse fix: https://review.openstack.org/145974
--- End Message ---
--- Begin Message ---Source: glance Source-Version: 2014.1.3-11 We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <[email protected]> (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 21 Jan 2015 16:13:33 +0000 Source: glance Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry Architecture: source all Version: 2014.1.3-11 Distribution: unstable Urgency: high Maintainer: PKG OpenStack <[email protected]> Changed-By: Thomas Goirand <[email protected]> Description: glance - OpenStack Image Service - metapackage glance-api - OpenStack Image Service - API server glance-common - OpenStack Image Service - common files glance-registry - OpenStack Image Service - registry server python-glance - OpenStack Image Service - Python client library python-glance-doc - OpenStack Image Service - Python library documentation Closes: 775926 Changes: glance (2014.1.3-11) unstable; urgency=high . * CVE-2015-1195: fixes "Glance still allows users to download and delete any file in glance-api server" by applying upstream patch (Closes: #775926). Checksums-Sha1: 373f93b548463a6c012cb97faaca429fbcae8c1d 3442 glance_2014.1.3-11.dsc 35debdaba27c16b36bf58683308c19fd39e3cfb3 40104 glance_2014.1.3-11.debian.tar.xz df70b5aab86e2a1bddc1e42d490729be44eb870a 407936 python-glance_2014.1.3-11_all.deb 31b90aeb63dbf4c4e233bc3a9c2ef542f9293a8a 9586 glance_2014.1.3-11_all.deb 1b66bf4d399ef3ccbde3c7055d680b977796deed 215510 python-glance-doc_2014.1.3-11_all.deb 129887f4aec94e2dd9fea3e9c4caa9233e818764 43492 glance-common_2014.1.3-11_all.deb 7da5d30a57b4897bbef0835959032eb31fe68a13 39130 glance-api_2014.1.3-11_all.deb 12552cc078c0e18b96fad658dea6ca8fbd708719 14332 glance-registry_2014.1.3-11_all.deb Checksums-Sha256: d98a9204c2f6f40f09a1465cefe39cdef6effb3f614a20556acba2f5f231a495 3442 glance_2014.1.3-11.dsc b8612b70da748bb6bc0f3dec957ec2683af74c5b564bec4e61026c86c8784aa7 40104 glance_2014.1.3-11.debian.tar.xz 2ae85b0a487fb06fd635cd22c7e7cda9a274f386fa8cbaf42aa024a79fac793a 407936 python-glance_2014.1.3-11_all.deb 0cf1a7feac540ee1ff8d09202409a47e458e95d6cdbd47be7ff298365091065d 9586 glance_2014.1.3-11_all.deb 78a799b7ea126de35cc2f45a2c3950f36b0a57997f3cfdbc19fc3b6efded6699 215510 python-glance-doc_2014.1.3-11_all.deb 34ab16f83f71c7717c5e543b9bbab9a7c81e82bcc57785b455d1edf464df19c8 43492 glance-common_2014.1.3-11_all.deb 159ed75021a7eb6466c559dc0d3ea61e6afeb59209fa00502ced17cbde071ae0 39130 glance-api_2014.1.3-11_all.deb c3f36e73d803c36087f885a290748c8adf5e71433a149f2c4d8f8a787851826f 14332 glance-registry_2014.1.3-11_all.deb Files: b6cfeedbc7f69acaf4288d63f0fc7274 3442 net extra glance_2014.1.3-11.dsc e347a1b2fc36c7e318c6d391c523a778 40104 net extra glance_2014.1.3-11.debian.tar.xz e41cb2fc55be1b660125c462e7c5771f 407936 python extra python-glance_2014.1.3-11_all.deb 182ef02475f0e21356ed9bd6a4a809cc 9586 python extra glance_2014.1.3-11_all.deb 5b08ed6c5dccd59f72554ce0214f88a9 215510 doc extra python-glance-doc_2014.1.3-11_all.deb 20bc1f81024e849f243ed05a083e2f9c 43492 python extra glance-common_2014.1.3-11_all.deb a1520c4704bd38b68f572a1fc383b8dd 39130 python extra glance-api_2014.1.3-11_all.deb 50f0e781529a39684712a1d874abf2bc 14332 python extra glance-registry_2014.1.3-11_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUv9WcAAoJENQWrRWsa0P+Y6YP/2dN/QFN6HTaiD2IhWXpaint xbAuzRhxJigIxKQZpaEw+qlk/P1nC6wb7ctcfczUL8iDkipt0iGse5MrBRFnUYMG 158/zzDFdOKVJEcmEEw+m8QFGr2N+eVceq2+nKWi2qzVdi3KExbIwdTNauNMbInt f4KR2umCjDplUQahjRdPSdXtsjJH9gNf0sYyqdo/MA49xZeW3u0ygiLu7ak5Gsd3 HAiJ4vg1SN3rv1e7PFHQmdfcnOe7yTXH8JXn6Iptby4M1u/6cpK08fhI3i9PPvSu 4eCSRIuisaiz0sv8O4Jk+eOTESrpZRA86WXq+rA8LwhXYUJvFZ9ssdIGzfQsJPQ2 zuKxZIs8XI7kRPsIXyNBR+c+WZZOrqHymSkiItykx11/z8CD6DBbHdNY1biTtj3e quy8L8UzAE7O4sW9XJrk+9AcP9qXwayRKbExZUYovewZpGBzXJ/z9UtJbgQpJKMV fFSipwD1XySv5BQbZ6twXjD4vuSoqslM9GcV9XKT2NiEdRIQJN1TIRMAHEiI6YIu o+xE0A9EGJdiDWRcV1HiKx6gH4vQCHd8jM7giPdjQUoJvS/GK+PIW9aamW7gqUuj J88m2l8cgBbgEVKwxsHG++TYHC8P+emZolnSUVtjARavfeQvyTli/+jBgMfcnOS2 OQqLrShFEimRhMAEv0m9 =IWl5 -----END PGP SIGNATURE-----
--- End Message ---
