Comment 3 for bug 1198185
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: delete_snapshot in LVMVolumeDriver not really zero the snapshot | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
Proposed impact description (will be used in CVE request and public advisory):
-------
Title: Cinder LVMVolumeDriver does not zero deleted snapshots
Reporter: Rongze Zhu
Products: Cinder
Affects: 2012.2 (Grizzly) and later
Description:
Rongze Zhu reported a vulnerability in the Cinder LVM volume driver.
When deleting an LVM volume snapshot the previous contents may not
be zeroed, resulting in potential exposure of latent data to
subsequent servers for other tenants. Only setups using
LVMVolumeDriver are affected.
-------
Everyone: please check that the description is accurate.
Rongze Zhu: do you want us to additionally credit the company you work for (SINA, UnitedStack, anyone)?