Your message dated Thu, 25 Dec 2014 10:19:14 +0000 with message-id <e1y45vi-0005b4...@franck.debian.org> and subject line Bug#773836: fixed in glance 2014.1.3-6 has caused the Debian Bug report #773836, regarding glance: unrestricted path traversal flaw to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773836 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: glance Version: 2014.1.3-5 Severity: serious Tags: security upstream Hi Setting this to serious/RC since this probably should go as well to jessie (please let me know if you disagree on severity). From [1]: [1] http://www.openwall.com/lists/oss-security/2014/12/23/2 > Masahito Muroi from NTT reported a vulnerability in Glance. By setting > a malicious image location an authenticated user can download or delete > any file on the Glance server for which the Glance process user has > access to. Only setups using the Glance V2 API are affected by this flaw. More details are also on the Red Hat bugzilla entry[2]. [2] https://bugzilla.redhat.com/show_bug.cgi?id=1174474 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: glance Source-Version: 2014.1.3-6 We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 773...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 25 Dec 2014 17:28:05 +0800 Source: glance Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry Architecture: source all Version: 2014.1.3-6 Distribution: unstable Urgency: high Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: glance - OpenStack Image Service - metapackage glance-api - OpenStack Image Service - API server glance-common - OpenStack Image Service - common files glance-registry - OpenStack Image Service - registry server python-glance - OpenStack Image Service - Python client library python-glance-doc - OpenStack Image Service - Python library documentation Closes: 773836 Changes: glance (2014.1.3-6) unstable; urgency=high . * Added restrict_client_download_and_delete_files_in_glance-api_juno.patch from upstream (Closes: #773836). * Build-depends on openstack-pkg-tools (>= 20~) to ensure we have the systemd fixes. Checksums-Sha1: a5c5d62b1ac1023803725ce388f3f76a9682d17f 3438 glance_2014.1.3-6.dsc 6fb5d8f44ea75bf449e7be118a11c86d525fba62 39152 glance_2014.1.3-6.debian.tar.xz f313a8ae542a9b2cd6925c1ba64fd8025f258607 407610 python-glance_2014.1.3-6_all.deb 29eaa71d12288ef8a648c30a3a482e207bf146c0 9290 glance_2014.1.3-6_all.deb d8ddc7ee7578265987aab995eb677916411fec6c 215192 python-glance-doc_2014.1.3-6_all.deb f19a35b1307ba80fcd83c608d614714f357470b7 43228 glance-common_2014.1.3-6_all.deb a18ead101d4949e97fd0987ff800b1adf47d831d 38818 glance-api_2014.1.3-6_all.deb 67c07c1fbadddda54710311c60d52828977cd252 14022 glance-registry_2014.1.3-6_all.deb Checksums-Sha256: b0f3111ede34a0f1f8005e9a78dd3fec2e1ff232d3d585eb090283d35289c068 3438 glance_2014.1.3-6.dsc d475263a0dd9b44975fb6e97e430a7a12b1b1980c77fe539e2829dbab024012d 39152 glance_2014.1.3-6.debian.tar.xz fa4a516d9b159811cf1885562b317dc58b15de70beb55b80063b824e39801de7 407610 python-glance_2014.1.3-6_all.deb 8f03a9e2fd2243138e925d202ed98809c74c065f0cef3eb4c49003c2df7880bd 9290 glance_2014.1.3-6_all.deb f775ff96d17129d3a89e04fe5233441c3166cb3042a81f1e8b170d585b427492 215192 python-glance-doc_2014.1.3-6_all.deb 831a883797de4dad8d88c7e04092e82d7b3b585dca2b0b1c1ec33801320d1c37 43228 glance-common_2014.1.3-6_all.deb ef965846dfb83459bd66e2fc6a548eec76152a755457db08c21e9499ecd4fc29 38818 glance-api_2014.1.3-6_all.deb d42653b6aee37824f7bd713710ffc7fd3886901b5e7551a1d7193f4cb1c781f0 14022 glance-registry_2014.1.3-6_all.deb Files: e7bbdad2cf539ae95e311b235feef062 3438 net extra glance_2014.1.3-6.dsc 70b91c95e835746c7752e1e3e6a156e5 39152 net extra glance_2014.1.3-6.debian.tar.xz 3c9992e1e75782a7e824be2ea3f0cc33 407610 python extra python-glance_2014.1.3-6_all.deb 05fe4f3deaeeb8688779a0350e5eb72f 9290 python extra glance_2014.1.3-6_all.deb 4e073ee5a11c2ae00ac922ce80db389f 215192 doc extra python-glance-doc_2014.1.3-6_all.deb bcc1d39cb81709461c1c29230225ff04 43228 python extra glance-common_2014.1.3-6_all.deb 4c048071f94457d85eb656352ebd738e 38818 python extra glance-api_2014.1.3-6_all.deb 8bed0dfe46a6723c72971358f0bd6a97 14022 python extra glance-registry_2014.1.3-6_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUm+EdAAoJENQWrRWsa0P+pw8P/0fGYV5nPKepUnvWIQp6tzNr w6wv3N/B/lF8yJXErO/9OR2uheI/wxni/snKLT+N1uSnxrQRdLaz+AdpxFu8yq2y VaschqoOUFvrcLs7nps19qo5RKhg/WYQEXuZ+NOB5p4es1faTE3Z0mzNLsz7engU P1If7Fgo9wRRsiWuRV9vEz8/BaJeCrgPwFJJWFz0ZEWiR9XL138eKwvjyssfeOp8 9139oLq+EOjhkBp6ijW88C5NDKNAPqk9EfKRSgcwKYEGA2Fa8UFb/aRKep2JgCQy 5JSEmmQE+uMjs/fdcpxhDmTCW84aT3UMXMYLApfxrM6pKyumdmJoBJVFWswij4Tg gYV4o3esRqkextBqERosavWGYLGG9zAfrhmHS/RvfUq8zgiwvXh19GOA20wJ02Nc w4mx5wHAJ5oLiuuWsN40wuzEzgJWq5tF9c1tfxgVjWkuG+L000pwiZjywgnT+DVp CxM0AI8UDXooz7PobHS8OQwQKdko/zpJzSV+OhwzwnX55A2TZvWcf9dIkFw3KZW5 OcQcFQN5hS3E0ba+LkBJcbJC35l2iBoWf4sCh8NcjUfNLjYOX9YyQPgRDJphbToV sjUefOGEC6JY257jFrpqyySuYPkY9Idu0pv+8sjCn+GYrJ39D2e0oq+OenecXOrt 2qrzgD0eB5Ap/gCQeSSQ =33ol -----END PGP SIGNATURE-----
--- End Message ---
