2015-06-16 19:41 GMT+02:00 Tristan Cacqueray <[email protected]>: > ===================================================================== > OSSA-2015-011: Cinder host file disclosure through qcow2 backing file > ===================================================================== > > :Date: June 16, 2015 > :CVE: CVE-2015-1850 > > > Affects > ~~~~~~~ > - Cinder: versions through 2014.1.4, > and 2014.2 versions through 2014.2.3, > and version 2015.1.0 > > > Description > ~~~~~~~~~~~ > Bastian Blank from credativ reported a vulnerability in Cinder. By > overwriting an image with a malicious qcow2 header, an authenticated > user may mislead Cinder upload-to-image action, resulting in > disclosure of any file from the Cinder server. All Cinder setups are > affected. > > > Patches > ~~~~~~~ > - https://review.openstack.org/191871 (Icehouse) > - https://review.openstack.org/191865 (Juno) > - https://review.openstack.org/191786 (Kilo) > - https://review.openstack.org/191785 (Liberty) > > > Credits > ~~~~~~~ > - Bastian Blank from Credativ (CVE-2015-1850) > > > References > ~~~~~~~~~~ > - https://launchpad.net/bugs/1415087 > - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1850 > > > Notes > ~~~~~ > - This fix will be included in future 2014.1.5 (icehouse), 2014.2.4 > (juno) and 2015.1.1 (kilo) releases. >
There were discussions about not issueing stable point releases anymore. Will there be new releases or not ? Regards, H. > -- > Tristan Cacqueray > OpenStack Vulnerability Management Team > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : [email protected] > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
