Bug#773836: marked as done (glance: unrestricted path traversal flaw)
Your message dated Thu, 25 Dec 2014 10:19:14 + with message-id e1y45vi-0005b4...@franck.debian.org and subject line Bug#773836: fixed in glance 2014.1.3-6 has caused the Debian Bug report #773836, regarding glance: unrestricted path traversal flaw to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773836 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: glance Version: 2014.1.3-5 Severity: serious Tags: security upstream Hi Setting this to serious/RC since this probably should go as well to jessie (please let me know if you disagree on severity). From [1]: [1] http://www.openwall.com/lists/oss-security/2014/12/23/2 Masahito Muroi from NTT reported a vulnerability in Glance. By setting a malicious image location an authenticated user can download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw. More details are also on the Red Hat bugzilla entry[2]. [2] https://bugzilla.redhat.com/show_bug.cgi?id=1174474 Regards, Salvatore ---End Message--- ---BeginMessage--- Source: glance Source-Version: 2014.1.3-6 We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 773...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand z...@debian.org (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 25 Dec 2014 17:28:05 +0800 Source: glance Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry Architecture: source all Version: 2014.1.3-6 Distribution: unstable Urgency: high Maintainer: PKG OpenStack openstack-de...@lists.alioth.debian.org Changed-By: Thomas Goirand z...@debian.org Description: glance - OpenStack Image Service - metapackage glance-api - OpenStack Image Service - API server glance-common - OpenStack Image Service - common files glance-registry - OpenStack Image Service - registry server python-glance - OpenStack Image Service - Python client library python-glance-doc - OpenStack Image Service - Python library documentation Closes: 773836 Changes: glance (2014.1.3-6) unstable; urgency=high . * Added restrict_client_download_and_delete_files_in_glance-api_juno.patch from upstream (Closes: #773836). * Build-depends on openstack-pkg-tools (= 20~) to ensure we have the systemd fixes. Checksums-Sha1: a5c5d62b1ac1023803725ce388f3f76a9682d17f 3438 glance_2014.1.3-6.dsc 6fb5d8f44ea75bf449e7be118a11c86d525fba62 39152 glance_2014.1.3-6.debian.tar.xz f313a8ae542a9b2cd6925c1ba64fd8025f258607 407610 python-glance_2014.1.3-6_all.deb 29eaa71d12288ef8a648c30a3a482e207bf146c0 9290 glance_2014.1.3-6_all.deb d8ddc7ee7578265987aab995eb677916411fec6c 215192 python-glance-doc_2014.1.3-6_all.deb f19a35b1307ba80fcd83c608d614714f357470b7 43228 glance-common_2014.1.3-6_all.deb a18ead101d4949e97fd0987ff800b1adf47d831d 38818 glance-api_2014.1.3-6_all.deb 67c07c1fbaa54710311c60d52828977cd252 14022 glance-registry_2014.1.3-6_all.deb Checksums-Sha256: b0f3111ede34a0f1f8005e9a78dd3fec2e1ff232d3d585eb090283d35289c068 3438 glance_2014.1.3-6.dsc d475263a0dd9b44975fb6e97e430a7a12b1b1980c77fe539e2829dbab024012d 39152 glance_2014.1.3-6.debian.tar.xz fa4a516d9b159811cf1885562b317dc58b15de70beb55b80063b824e39801de7 407610 python-glance_2014.1.3-6_all.deb 8f03a9e2fd2243138e925d202ed98809c74c065f0cef3eb4c49003c2df7880bd 9290 glance_2014.1.3-6_all.deb f775ff96d17129d3a89e04fe5233441c3166cb3042a81f1e8b170d585b427492 215192 python-glance-doc_2014.1.3-6_all.deb 831a883797de4dad8d88c7e04092e82d7b3b585dca2b0b1c1ec33801320d1c37 43228 glance-common_2014.1.3-6_all.deb ef965846dfb83459bd66e2fc6a548eec76152a755457db08c21e9499ecd4fc29 38818 glance-api_2014.1.3-6_all.deb d42653b6aee37824f7bd713710ffc7fd3886901b5e7551a1d7193f4cb1c781f0 14022 glance-registry_2014.1.3-6_all.deb Files: e7bbdad2cf539ae95e311b235feef062 3438 net extra glance_2014.1.3-6.dsc
Bug#773836: marked as done (glance: unrestricted path traversal flaw)
Your message dated Thu, 25 Dec 2014 15:34:39 + with message-id e1y4aqx-0002yl...@franck.debian.org and subject line Bug#773836: fixed in glance 2014.2.1-2 has caused the Debian Bug report #773836, regarding glance: unrestricted path traversal flaw to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773836 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: glance Version: 2014.1.3-5 Severity: serious Tags: security upstream Hi Setting this to serious/RC since this probably should go as well to jessie (please let me know if you disagree on severity). From [1]: [1] http://www.openwall.com/lists/oss-security/2014/12/23/2 Masahito Muroi from NTT reported a vulnerability in Glance. By setting a malicious image location an authenticated user can download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw. More details are also on the Red Hat bugzilla entry[2]. [2] https://bugzilla.redhat.com/show_bug.cgi?id=1174474 Regards, Salvatore ---End Message--- ---BeginMessage--- Source: glance Source-Version: 2014.2.1-2 We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 773...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand z...@debian.org (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 25 Dec 2014 17:24:40 +0800 Source: glance Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry Architecture: source all Version: 2014.2.1-2 Distribution: experimental Urgency: medium Maintainer: PKG OpenStack openstack-de...@lists.alioth.debian.org Changed-By: Thomas Goirand z...@debian.org Description: glance - OpenStack Image Service - metapackage glance-api - OpenStack Image Service - API server glance-common - OpenStack Image Service - common files glance-registry - OpenStack Image Service - registry server python-glance - OpenStack Image Service - Python client library python-glance-doc - OpenStack Image Service - Python library documentation Closes: 773836 Changes: glance (2014.2.1-2) experimental; urgency=medium . * Added restrict_client_download_and_delete_files_in_glance-api_juno.patch from upstream (Closes: #773836). Checksums-Sha1: 09c9cf854a6dc0801691b37663ea505a2e5bdba3 3706 glance_2014.2.1-2.dsc 53ad31c733804a2238005ea39261eb0ae0bfd8b9 204816 glance_2014.2.1-2.debian.tar.xz 8a64026359ef939bb8fdce09dbdd3fc04f0ca506 586150 python-glance_2014.2.1-2_all.deb 13dc43b042206d14f1c080404586d96f6874eb50 213772 glance_2014.2.1-2_all.deb 270d3d6b191c040ff16a6bdcea68771031379a7c 428222 python-glance-doc_2014.2.1-2_all.deb f56280c4d027cd9e5c2fcaa67b3fddeb24c6d84f 248220 glance-common_2014.2.1-2_all.deb d384e5dc8dbc4a7a55c7e94bc749869d7c763e5d 243304 glance-api_2014.2.1-2_all.deb f319dc3a8f462e8f75b393423730f162daf45c6a 218526 glance-registry_2014.2.1-2_all.deb Checksums-Sha256: 841525637d60d527a5755904eabb3dd9a0d63c89a78317f8f0c8ccc7fd57df86 3706 glance_2014.2.1-2.dsc f217f24a7a8e62e6758eab68de6843d6221bfe7ec5854f3bb7fa2ef0cf818901 204816 glance_2014.2.1-2.debian.tar.xz 59f00cb0ed180925e21e14f4b8a15388f2098664175639c71573e81b7ca1bde2 586150 python-glance_2014.2.1-2_all.deb ce60d6bd76b3318c6cae506254742e3e335f628793fd1eef241b048726766268 213772 glance_2014.2.1-2_all.deb 1c8488f383a4250937954db9e31eeb7da5662cb3ea918a69f1702662548d08a7 428222 python-glance-doc_2014.2.1-2_all.deb 0dd874309ce81844bbcdc65a7b685e59e9ab3d7f8c89f37c2e33c234132970ab 248220 glance-common_2014.2.1-2_all.deb ffd604d9567b51676515276efa9fc6be724e1705c43970c0e8ed963798b1ae0c 243304 glance-api_2014.2.1-2_all.deb cbaaee1fbb1aec7d879278cd7b7eadf8ac59779897af628bfa4c015569b4c8be 218526 glance-registry_2014.2.1-2_all.deb Files: abb70b3decb5c7ffe11657a9823f8c9c 3706 net extra glance_2014.2.1-2.dsc ada1e18ac552a56f2b564aa611fca20f 204816 net extra glance_2014.2.1-2.debian.tar.xz