Your message dated Wed, 21 Jan 2015 17:18:28 +0000 with message-id <[email protected]> and subject line Bug#775926: fixed in glance 2014.2.1-4 has caused the Debian Bug report #775926, regarding CVE-2015-1195: Glance still allows users to download and delete any file in glance-api server to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 775926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775926 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: glance Version: 2014.1.3-10 Severity: critical Tags: security patch Title: Glance v2 API unrestricted path traversal through filesystem:// scheme Reporter: Jin Liu (EMC) Products: Glance Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.1 Description: Jin Liu from EMC reported that path traversal vulnerabilities in Glance were not fully patched in OSSA 2014-041. By setting a malicious image location to a filesystem:// scheme an authenticated user can still download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw. Kilo (development branch) fix: https://review.openstack.org/145640 Juno fix: https://review.openstack.org/145916 Icehouse fix: https://review.openstack.org/145974
--- End Message ---
--- Begin Message ---Source: glance Source-Version: 2014.2.1-4 We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <[email protected]> (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 21 Jan 2015 17:31:46 +0100 Source: glance Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry Architecture: source all Version: 2014.2.1-4 Distribution: experimental Urgency: medium Maintainer: PKG OpenStack <[email protected]> Changed-By: Thomas Goirand <[email protected]> Description: glance - OpenStack Image Service - metapackage glance-api - OpenStack Image Service - API server glance-common - OpenStack Image Service - common files glance-registry - OpenStack Image Service - registry server python-glance - OpenStack Image Service - Python client library python-glance-doc - OpenStack Image Service - Python library documentation Closes: 775926 Changes: glance (2014.2.1-4) experimental; urgency=medium . * CVE-2015-1195: Prevent file, swift+config and filesystem schemes (applied upstream patch). (Closes: #775926). Checksums-Sha1: 0de692efae0fb0dc5230ddf6e1a738ffa3ea8f90 3717 glance_2014.2.1-4.dsc 14a38560d5de6898933d09b02d12ae6e99d7618b 205696 glance_2014.2.1-4.debian.tar.xz 368563a4079b2de109a484fffc6db96dbc90735e 584650 python-glance_2014.2.1-4_all.deb 7f2db4a348e49505d632d7983a07d47b7b6c4a07 213964 glance_2014.2.1-4_all.deb 6d8f5ae82abbcf6692f5b32455a2d84a523e8905 428380 python-glance-doc_2014.2.1-4_all.deb 6484002eb36cbaa1835a0bef0f0698475e6492f6 248356 glance-common_2014.2.1-4_all.deb f64e2265bff794ac1db01a2029f561403c5de1c2 243462 glance-api_2014.2.1-4_all.deb 511dcbd72c8ba8b82b834d423b7f4cecbb6b5aa3 218730 glance-registry_2014.2.1-4_all.deb Checksums-Sha256: e435b34048dc48db4c8c914ac2e5e9ca50640d46c896b311ee6d1e9f57f1a565 3717 glance_2014.2.1-4.dsc bb529184b3f186c738516e61f2dd5a1de659fdc7ae979779d33dba8db186a415 205696 glance_2014.2.1-4.debian.tar.xz 3025075f52eaa0bdbe5806c767bab994a2521eea2689c58d4b30e61efc96affc 584650 python-glance_2014.2.1-4_all.deb f52acbfd463f7dd4c336319e177469515a96503066044ea0450e0d5fcae7993f 213964 glance_2014.2.1-4_all.deb a19357f38bf3903a78df26a657054ad65046178b1ccf617123c567eb38779745 428380 python-glance-doc_2014.2.1-4_all.deb fea091b32a1e6e620d1b2b967d181f99fc024174febb6a08fb92d28e2880ec8f 248356 glance-common_2014.2.1-4_all.deb 4623afaba6bb4d947710809b657ed998e961a2e67209debdc31fb63771839f4b 243462 glance-api_2014.2.1-4_all.deb 51886b2caea84dfd39ef571869045fd5d96fd67c3ec98a44e6cb275b6055d5c0 218730 glance-registry_2014.2.1-4_all.deb Files: 524ca299e97d4da2665473386fa53d27 3717 net extra glance_2014.2.1-4.dsc 8589fbb70484ec4eaaa3eef9c5ecad9f 205696 net extra glance_2014.2.1-4.debian.tar.xz a1dd2c74d16722d445f7d0e6f25ce2e7 584650 python extra python-glance_2014.2.1-4_all.deb 0d9f5678dd034a2fa5a463b08188e065 213964 python extra glance_2014.2.1-4_all.deb 3ac2af736c17b482ae97d1953227f425 428380 doc extra python-glance-doc_2014.2.1-4_all.deb 9d8ad30d183bd8b5e2355e0313cc45e5 248356 python extra glance-common_2014.2.1-4_all.deb 2a0ae615d9765eaabe906d3fb3bed2cf 243462 python extra glance-api_2014.2.1-4_all.deb 4ff138c1787b3cc79ca1a61ba9b3cfeb 218730 python extra glance-registry_2014.2.1-4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUv9s3AAoJENQWrRWsa0P+Z8YQAIcwfAv1ozTvE60o+iAUtpEA 7h7BwbspVI9E4TEBsrsIDwBgwH3oRqxLFv/Ciacz0mSTuuApyfi1DL5Jtb1SRto+ +eSO84P9Q7clpTbh1WoCsjj+FJLNKNGaC5QnHWEoMUyyYPgb1wlTGJaxbIuX2s9o 7PfoDzXzzyILEUAYOhzbgZQ5U4xQGNnm9BHOYMkGIZhzrebiogXVjdTKYz8c3Khs xEPsP+gVrg91jM/mmO6te+ltA+J59SZvl4gSVWCascsiPTqh2TqxcBLzt3/55cbR LwZMTkIndDnI0FGzCATxvmRBNurSBO3SoXqJ5yYW/YTmwaPaS3FlYhWfFS4QCQNB PY4PL6LCmZQfL/7MgRr5lTT2UTcMsaP443Nhf7Ix81i3A2nqxEve2jgOAhsjp1Vy ZFabA0r28h2qUge80wNRJVNzhfDKpiMhDrn6jILhsMe3cQP+OOqzMNmqS6DbuHze bMOYuXlDX3KWwLJ1eysKayHILz9vGOci+dHzb6wYrstAQf9UgE0oPbKwE9dmtLkq 86VaqyDWZufaT5s4pQmPmwAA+PMSgzqpffVI2nveqxNHGzy7o+2nQzu4oJ2cGIGQ giP+id3QatqVrQIYvbcdGP1Fqp6ayCP+BLlcxYNMvMnIN3JoJLThZF+6eqxWCsG5 ferg8Nk2pBvSLo/lwB8Y =NQoU -----END PGP SIGNATURE-----
--- End Message ---
