On 1/6/15 10:31 AM, Jesse Keating wrote:
Hopefully all of you have seen http://seclists.org/oss-sec/2015/q1/64
which is the glance v2 api directory traversal bug. Upstream has fixed
master (kilo) and juno, but havana has not been fixed.
We, unfortunately, have a few havana installs out there and we'd like to
patch this ahead of our planned upgrade to Juno. I'm curious if anybody
else out there is in the same situation and is working on backporting
the glance patch. If not, I'll share the patch when I'm done, but if so
I'd love to share in the work and help the effort.
Cheers, and happy patching!
No responses, but I was able to do the backport. I've tested manually
and without the patch I could coax glance into delivering files from the
filesystem to me, and with the patch it will not do that. I can still
add a location for the allowed schemes, such as http scheme, so this all
seems good.
https://github.com/blueboxgroup/glance/commit/7ab98b72802de1d5695d35306e32293463977496
--
-jlk
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
