© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I think we can reuse the existing CVE for this issue and issue an advisory. I've created the draft impact description below:
Title: oslo.vmware uses a version of the suds soap client with known vulnerabilities.
Reporter: Grant Murphy (Red Hat)
Products: oslo.vmware, Nova, Cinder
Versions: from 2013.2 to 2013.2.3, and 2014.1 versions up to 2014.1.1
Description:
Grant Murphy from Red Hat found that oslo.vmware uses a vulnerable dependency.
The suds soap client cache stores pickled objects at a predictable path in /tmp.
A local attacker could pre-emptively create poisoned cache entries to execute
arbitrary code via pickle deserialization. The oslo.vmware code can be found
in the Nova and Cinder projects.
References:
http://