Bug#788996: marked as done (cinder: CVE-2015-1851: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file)

[Debian Bug Tracking System]

Your message dated Sat, 20 Jun 2015 11:02:05 +0000
with message-id <e1z6gxf-0000gp...@franck.debian.org>
and subject line Bug#788996: fixed in cinder 2014.1.3-11+deb8u1
has caused the Debian Bug report #788996,
regarding cinder: CVE-2015-1851: [OSSA 2015-011] Cinder host file disclosure 
through qcow2 backing file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
788996: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788996
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: cinder
Severity: grave
Tags: security patch

=====================================================================
OSSA-2015-011: Cinder host file disclosure through qcow2 backing file
=====================================================================

:Date: June 16, 2015
:CVE: CVE-2015-1850


Affects
~~~~~~~
- Cinder: versions through 2014.1.4,
          and 2014.2 versions through 2014.2.3,
          and version 2015.1.0


Description
~~~~~~~~~~~
Bastian Blank from credativ reported a vulnerability in Cinder. By
overwriting an image with a malicious qcow2 header, an authenticated
user may mislead Cinder upload-to-image action, resulting in
disclosure of any file from the Cinder server. All Cinder setups are
affected.


Patches
~~~~~~~
- https://review.openstack.org/191871 (Icehouse)
- https://review.openstack.org/191865 (Juno)
- https://review.openstack.org/191786 (Kilo)
- https://review.openstack.org/191785 (Liberty)


Credits
~~~~~~~
- Bastian Blank from Credativ (CVE-2015-1850)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1415087
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1850


Notes
~~~~~
- This fix will be included in future 2014.1.5 (icehouse), 2014.2.4
  (juno) and 2015.1.1 (kilo) releases.

--- End Message ---

--- Begin Message ---

Source: cinder
Source-Version: 2014.1.3-11+deb8u1

We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 788...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated cinder package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 17 Jun 2015 00:07:12 +0200
Source: cinder
Binary: python-cinder cinder-common cinder-api cinder-volume cinder-scheduler 
cinder-backup
Architecture: source all
Version: 2014.1.3-11+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
 cinder-api - OpenStack block storage system - API server
 cinder-backup - OpenStack block storage system - Backup server
 cinder-common - OpenStack block storage system - common files
 cinder-scheduler - OpenStack block storage system - Scheduler server
 cinder-volume - OpenStack block storage system - Volume server
 python-cinder - OpenStack block storage system - Python libraries
Closes: 788996
Changes:
 cinder (2014.1.3-11+deb8u1) jessie-security; urgency=medium
 .
   * CVE-2015-1851: Cinder host file disclosure through qcow2 backing file.
     Applied upstream patch (Closes: #788996):
     Disallow_backing_files_when_uploading_volumes_to_image.patch
Checksums-Sha1:
 a76437b01acec2cb101f32d0588c290f06c4976a 3479 cinder_2014.1.3-11+deb8u1.dsc
 87ac3f63c7a400517b27485a3cd28503371c918b 1057900 cinder_2014.1.3.orig.tar.xz
 8c4b4f50548effcdfe9d66ebca11ead4c888a5b8 388652 
cinder_2014.1.3-11+deb8u1.debian.tar.xz
 f9ab8a4e7356e23c5ff7781cb389e0eea2f8a8ae 1264900 
python-cinder_2014.1.3-11+deb8u1_all.deb
 94675c7c33ba133ba04e05d1f3429c5cf61c8f55 510296 
cinder-common_2014.1.3-11+deb8u1_all.deb
 b06801241456c35aa399d6a64f3c771e0f4b25eb 486724 
cinder-api_2014.1.3-11+deb8u1_all.deb
 e488e496b4d6a68006eb316a9c3f521a29184c5b 481632 
cinder-volume_2014.1.3-11+deb8u1_all.deb
 d03f63958538047212eff91c2b749c06233b53e1 469994 
cinder-scheduler_2014.1.3-11+deb8u1_all.deb
 50fc41f622368ea0ea54f9cf68c8af67c844217b 469692 
cinder-backup_2014.1.3-11+deb8u1_all.deb
Checksums-Sha256:
 5e06b7f6bd72624e5523f879a70000c82df08f4ccec22f8fcdfc4aee7f231626 3479 
cinder_2014.1.3-11+deb8u1.dsc
 f552a73ecc1024aa765029171a50abebb5bfaf4d2d0f3384558118406ceadedc 1057900 
cinder_2014.1.3.orig.tar.xz
 a93ba1d1b8b49807fe94b488e9ac2b8ef4bdc3ef8cc4dcefb1bde06a68df32c2 388652 
cinder_2014.1.3-11+deb8u1.debian.tar.xz
 4bc928baed38a57cf16344f270a82ba6cfeb7c906e6b314ed36a09a25f5b643c 1264900 
python-cinder_2014.1.3-11+deb8u1_all.deb
 fd76790530d8ffe3546930703e530c310e2824495677c66046d7c0627b55b0cc 510296 
cinder-common_2014.1.3-11+deb8u1_all.deb
 7004ee572429521dc90fa084fba12e814555a9fc83be814218db4a5837c27b0e 486724 
cinder-api_2014.1.3-11+deb8u1_all.deb
 7b40c545d600795c37772b46914aa3a72de0b2265128de8162c85e09b748a5d1 481632 
cinder-volume_2014.1.3-11+deb8u1_all.deb
 ebb2c7a7505315855b0792dbb8326e82675cfc87c1550a233aaf4c9e40916bf3 469994 
cinder-scheduler_2014.1.3-11+deb8u1_all.deb
 5a2ae260309de27995fb4401647e76a05c111a5e76a2755ec0220ed435d69a59 469692 
cinder-backup_2014.1.3-11+deb8u1_all.deb
Files:
 193c08ea2eaa305cb42525d4bfa4c4f2 3479 net extra cinder_2014.1.3-11+deb8u1.dsc
 915ad0a7b5ae87a55362c984f2bfaa93 1057900 net extra cinder_2014.1.3.orig.tar.xz
 c5ee30d39dbf95b9b8501b9c68748832 388652 net extra 
cinder_2014.1.3-11+deb8u1.debian.tar.xz
 b596a67d3cb6e3d676dc06c65bb8b4fd 1264900 python extra 
python-cinder_2014.1.3-11+deb8u1_all.deb
 5b24c0009926047bb2340bf9ad7b663a 510296 net extra 
cinder-common_2014.1.3-11+deb8u1_all.deb
 b6e4b0f1293ed7f76a34037c839d3633 486724 net extra 
cinder-api_2014.1.3-11+deb8u1_all.deb
 6272de9e240b7c5d250379e6cb478c04 481632 net extra 
cinder-volume_2014.1.3-11+deb8u1_all.deb
 fad200936a6a9a241fe634f9e6d1d598 469994 net extra 
cinder-scheduler_2014.1.3-11+deb8u1_all.deb
 2b5fe84c8d5003f6c9d91f182599a4fb 469692 net extra 
cinder-backup_2014.1.3-11+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVg8jcAAoJENQWrRWsa0P+JzEP/As6//GPvjNdiBTBnzXLJo6u
7z3j1/c+N2GcglnTtHQHZ6RkEQydQxTsLFDksQE020PzinkJlN/1Hr9eg6FmCytj
6g6wr3mj6WxoM5Y5dUp5iK9gzaOQ3SaTlbxKx+vaisw0Gr6I6sBtqaaBoCKdhx27
kkQBF4FEpBNvBxj/MhWcOW4zY0z5r+EEF8Ja7Ba7hbh7PSE1m7ROr5ocHRFzmR+V
jltMteKE78XWd8PLPM3g8bwa8EjWeWNZbROUg6gCtsdUi1FHcW3vaHyUIVGTwWkN
yZcGdEJ0hqyagic6SL69v5GEfZemswOA52I5MiH90tlV+CQBkJE+p4RUOlFyyrDz
J2HWEdDA/la/jqKEOMkABv8wfGL+x21KWp4u7iVdwEl31+AQeCDs4dEQun3HYiRU
RrdBIAlg+FC5dtjUGPP1FQzSR03MR5hoZPKRc2QOd+BZvPBXXyEw1eVOCi59zbiN
ksEkpVoSmvUkoCl0OfFyTVvU4vN53rU60t2Bz3vRDmhgCoiM2sLLzOkqySDfHO54
g7mT8DM0W+gAtZefnma/TlJGccitWg2tqLfZ9jgqopqeiQ17L28d8Scf8SkGRojV
bQBcEQv8/gDPvIq4VJXJ5zc52WYVOn4rJG0p/P9hAdpUUhhIn4SVX8ya+htr4+8R
kGqAGtxES6Pi2bO8dflZ
=y/u+
-----END PGP SIGNATURE-----

--- End Message ---