CVEs related to bugs in Cinder

Open bugs

Bug CVE(s)
Bug #1188189: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection) CVE-2013-2255
Cinder In progress, assigned to Ibad Khan

Resolved bugs

Bug CVE(s)
Bug #1050359: Tests fail on 32bit machines (_get_hash_str is platform dependent) CVE-2012-5625
Cinder Fix released, assigned to Ben Swartzlander
Bug #1053364: Add SIGPIPE handler to subprocess execution in rootwrap and utils.execute CVE-2012-5625
Cinder Fix released, assigned to Thierry Carrez
Bug #1065702: After folsom upgrade, instances can no longer access existing volumes. CVE-2012-5625
Cinder Fix released, assigned to John Griffith
Bug #1071536: typo prevents volume_tmp_dir flag from working CVE-2012-5625
Cinder Fix released, assigned to Josh Durgin
Bug #1073569: Jenkins jobs fail because of incompatibility between sqlalchemy-migrate and the newest sqlalchemy-0.8.0b1 CVE-2012-4573
CVE-2012-5563
CVE-2012-5571
Cinder Fix released, assigned to Sean Dague
Bug #1083818: Detached and deleted RBD volumes remain associated with instance CVE-2012-5625
Cinder Fix released, assigned to Adam Gandelman
Bug #1100282: [OSSA 2013-004] DoS through XML entity expansion (CVE-2013-1664) CVE-2013-1664
Cinder Fix released, assigned to Dan Prince
Bug #1150720: [SRU] There is now a dependency on paramiko v1.8.0 CVE-2013-1664
Cinder Fix released, assigned to Avishay Traeger
Bug #1177924: Use testr instead of nose as the unittest runner. CVE-2016-0738
Cinder Fix released, assigned to Michael Kerrin
Bug #1190229: [OSSA 2013-023] Potential unsafe XML usage (CVE-2013-4179, CVE-2013-4202) CVE-2013-4179
CVE-2013-4202
Cinder Fix released, assigned to Thierry Carrez
Bug #1198185: [OSSA 2013-021] Cinder LVM volume driver does not support secure deletion (CVE-2013-4183) CVE-2013-4183
Cinder Fix released, assigned to Rongze Zhu
Bug #1341954: suds client subject to cache poisoning by local attacker CVE-2013-2217
Cinder Fix released, assigned to Vipin Balachandran
Bug #1343604: Exceptions thrown, and messages logged by execute() may include passwords (CVE-2014-7230) CVE-2014-7230
Cinder Fix released, assigned to Jay Bryant
Bug #1350504: [OSSA 2014-033] GlusterFS driver uses unsafe qcow2 format detection (CVE-2014-3641) CVE-2014-3641
Cinder Fix released, assigned to Eric Harney
Bug #1377981: [OSSA 2014-036] Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231) CVE-2014-7230
CVE-2014-7231
Cinder Fix released, assigned to Tristan Cacqueray
Bug #1415087: [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851) CVE-2015-1850
CVE-2015-1851
Cinder Fix released, assigned to Eric Harney
Bug #1449062: [OSSA 2016-012] qemu-img calls need to be restricted by ulimit (CVE-2015-5162) CVE-2015-1850
CVE-2015-1851
CVE-2015-5162
Cinder Fix released, assigned to Sean McGinnis
Bug #1529836: Fix deprecated library function (os.popen()). CVE-2016-0738
Cinder Fix released, assigned to Harshada Mangesh Kakad
Bug #1699573: ScaleIO volumes contain previous data CVE-2017-15139
Cinder Fix released, assigned to tssgery
Bug #1784871: ScaleIO (thin) volumes contain previous data (follow-up to 1699573) CVE-2017-15139
Cinder Fix released, assigned to Matan Sabag