Your message dated Thu, 29 Jan 2015 16:19:19 +0000
with message-id <[email protected]>
and subject line Bug#776580: fixed in glance 2014.1.3-12
has caused the Debian Bug report #776580,
regarding glance: CVE-2014-9623: Glance user storage quota bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
776580: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776580
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: glance
Version: 2014.1.3-11
Severity: important
Tags: patch
Note from maintainer: I'm opening this bug before uploading the fix.
Title: Glance user storage quota bypass
Reporter: Tushar Patil (NTT)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1
Description:
Tushar Patil from NTT reported a vulnerability in Glance. By deleting images
that are being uploaded, a malicious user can overcome the storage quota and
thus may overrun the backend. Images in deleted state are not taken into
account by quota and won't be effectively deleted until the upload is
completed. Only Glance setups configured with user_storage_quota are
affected.
Kilo (development branch) fix:
https://review.openstack.org/144464
Juno fix:
https://review.openstack.org/149387
Icehouse fix:
https://review.openstack.org/149646
CVE: CVE-2014-9623
--- End Message ---
--- Begin Message ---
Source: glance
Source-Version: 2014.1.3-12
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 29 Jan 2015 16:21:39 +0100
Source: glance
Binary: python-glance glance python-glance-doc glance-common glance-api
glance-registry
Architecture: source all
Version: 2014.1.3-12
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Description:
glance - OpenStack Image Service - metapackage
glance-api - OpenStack Image Service - API server
glance-common - OpenStack Image Service - common files
glance-registry - OpenStack Image Service - registry server
python-glance - OpenStack Image Service - Python client library
python-glance-doc - OpenStack Image Service - Python library documentation
Closes: 776580
Changes:
glance (2014.1.3-12) unstable; urgency=high
.
* CVE-2014-9623: Glance user storage quota bypass. Applied upstream patch:
Cleanup_chunks_for_deleted_image_that_was_saving_icehouse.patch
(Closes: #776580).
Checksums-Sha1:
395bd8852afb4ebadc60126d449a61567aa4e187 3442 glance_2014.1.3-12.dsc
a3c789e5bf403782d4555111cd1a8ff6369c1053 43584 glance_2014.1.3-12.debian.tar.xz
c6bee9d36e73c8a9f8e86d084f2bbcf54aef0102 408332
python-glance_2014.1.3-12_all.deb
8a1c849020370fa9033f7e9495cc376326f924c1 9676 glance_2014.1.3-12_all.deb
821574a90712caa8e2638370e9cd0da6623b26c5 215808
python-glance-doc_2014.1.3-12_all.deb
15df9cd106ac474eb6a8f6eab021ba62e3634405 43600
glance-common_2014.1.3-12_all.deb
97a13cdf872919dde6c3a41c828c9e1c4a53c436 39230 glance-api_2014.1.3-12_all.deb
a58f25ce69cd359cd8f118945fe7b10d9acfb812 14414
glance-registry_2014.1.3-12_all.deb
Checksums-Sha256:
779783d89eae0aeea9f3a54a7f171aab23357afd047effa028a4f0c13f55612b 3442
glance_2014.1.3-12.dsc
dc5c26e7d01cec60ce8aac724d9ead5c755229a27486d341e7f62928ee8a23a3 43584
glance_2014.1.3-12.debian.tar.xz
ad896abd63f206c23841c738f97cadf9e4083b833e8b28643b2c43ad29cfb264 408332
python-glance_2014.1.3-12_all.deb
31539293d92fd40404cf821957bbe50fe98a9439fa56b1692e545c13a44611a7 9676
glance_2014.1.3-12_all.deb
000d3b8c43ac1e98fbda1e8aaad26261570932ca6e3a7024982cb76345f54c2c 215808
python-glance-doc_2014.1.3-12_all.deb
291f6be774006f55dc0f38bb086d85a95e1d0b52aa0edc423d9816ea9af86d57 43600
glance-common_2014.1.3-12_all.deb
d13c5571bb4bc75b35164d656ae86feafd73a521429a828e9709d55a1ea136f5 39230
glance-api_2014.1.3-12_all.deb
22bbf9f84e28b27c217fc488dfe07919dd730edb473c07c6579f04202e08c235 14414
glance-registry_2014.1.3-12_all.deb
Files:
a03988de8ac306b686c82201ef4aebb6 3442 net extra glance_2014.1.3-12.dsc
d7706bbc34c0c2e755eaf672ab8a30de 43584 net extra
glance_2014.1.3-12.debian.tar.xz
b793c53d5bb20a3fb3d69ca73b6552e0 408332 python extra
python-glance_2014.1.3-12_all.deb
e26b14fc4a480b655922cdc81a541449 9676 python extra glance_2014.1.3-12_all.deb
a489322906c07fce1ba94473bef9d04b 215808 doc extra
python-glance-doc_2014.1.3-12_all.deb
eabefd3182389e2a17ae138e778ec0e8 43600 python extra
glance-common_2014.1.3-12_all.deb
d2e11e17019a9d467f42e15596b2fb20 39230 python extra
glance-api_2014.1.3-12_all.deb
128e2dada382c6029e4a3bded5dcf38e 14414 python extra
glance-registry_2014.1.3-12_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUylYlAAoJENQWrRWsa0P+1uEQAKNvxrfpegmMXco+nYcpudNz
efmAP3UhlOSy+y7IOdhnvRvMq1jtBQ2eAYDN8gqpDr7jlKI1ANVBFtaFlKKufu/j
DcUYKH9cgPdmca5l8wtwIXJcs3GppeT4l2+0Ofl9CV1th3zgyL89lLYg7cMe/CUm
FpRhY2L9yAmjtlOkpw8twwjIXwZO5sNlBxOSixNFfhnXmkZtgfDw52uRbt52o5Cc
k6C1CHt3XXW5m1ro7/VdrCMRSoD9A0uxjuw5mAkHXrtd3B7q64GEk/e25LSz41hp
1lCqUTK/9Ztf0JWWNSA2WCU0jUB+A/2+TD63y4/0cXiYAXK4rPFUp8Yd73ph/GJ7
38OD2BTkNgGkrWdn1S/5c5Ms0dGWF/pXxavG563Dp35mbCp45X+m1uvl0GjNT9Hq
LiFGhyCsLypx6AkH3HQ615rb1zirmd3KRxbSJ1KJqtIMlSuzESqz94uXQVZi0BAr
KzyfBrssPFo0PJqQZviPDwe+VbEHYcQclnc6f8Qb0mL3vK/7ryRVt435Z/L8wxGf
svK4JIrAHHN74V4lXj5gKSfklFHqBU54Fw9wLXHcM7rQ2qCsig6Fn0DjoiqBfKcf
Dznm/7mbpoCS2bTlwy7PtGOl/f7SyisyByC/GcQEkNsIIsK1uqlUlf7il9cgDeJ8
am8Ik4/guYHS/739X9IC
=2Je4
-----END PGP SIGNATURE-----
--- End Message ---
