2015-02-11 09:48:06 |
Abhishek Kekane |
bug |
|
|
added bug |
2015-02-11 09:49:22 |
Abhishek Kekane |
bug |
|
|
added subscriber Tushar Patil |
2015-02-11 09:50:26 |
Abhishek Kekane |
bug |
|
|
added subscriber Kentaro Takeda |
2015-02-11 09:50:31 |
Abhishek Kekane |
glance: assignee |
|
Abhishek Kekane (abhishek-kekane) |
|
2015-02-11 09:54:31 |
Abhishek Kekane |
description |
Trying to delete image created using task api (import-from) image gets deleted from the database, but image data remains in the backend.
Steps to reproduce:
1. Create image using task api
$ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress' -H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e' -d '{"type": "import", "input": {"import_from": "http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso", "import_from_format": "raw", "image_properties": {"disk_format": "raw", "container_format": "bare", "name": "task_image"}}}' http://10.69.4.176:9292/v2/tasks
2. wait until image becomes active.
3. Confirm image is in active state.
$ glance image-list
4. Delete the image
$ glance image-delete <image-id>
5. Verify image-list does not show deleted image
$ glance image-list
Image gets deleted from the database but image data presents in the backend.
Problem:
Import task does not update the location of the image and it remains None even image becomes active.
Location entry is not added in the database in image_locations table.
While deleting the image it checks if location is present for image [1][2] then only it deletes that image data from that location.
[1] v1: https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L1066
[2] v2: https://github.com/openstack/glance/blob/master/glance/location.py#L361
This issue is also reproducible in stable/juno as well as current master.
Note: You need to replace auth_token in above curl command, otherwise it will raise error for authentication failure.
(Use 'keystone token-get' command to generate the new token) |
Trying to delete image created using task api (import-from) image gets deleted from the database, but image data remains in the backend.
Steps to reproduce:
1. Create image using task api
$ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress' -H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e' -d '{"type": "import", "input": {"import_from": "http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso", "import_from_format": "raw", "image_properties": {"disk_format": "raw", "container_format": "bare", "name": "task_image"}}}' http://10.69.4.176:9292/v2/tasks
2. wait until image becomes active.
3. Confirm image is in active state.
$ glance image-list
4. Delete the image
$ glance image-delete <image-id>
5. Verify image-list does not show deleted image
$ glance image-list
Image gets deleted from the database but image data presents in the backend.
Problem:
Import task does not update the location of the image and it remains None even image becomes active.
Location entry is not added in the database in image_locations table.
While deleting the image it checks if location is present for image [1][2] then only it deletes that image data from that location.
[1] v1: https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L1066
[2] v2: https://github.com/openstack/glance/blob/master/glance/location.py#L361
This issue is reproducible in stable/juno as well as in current master.
Note: You need to replace auth_token in above curl command, otherwise it will raise error for authentication failure.
(Use 'keystone token-get' command to generate the new token) |
|
2015-02-11 13:42:16 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
2015-02-11 13:42:42 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
2015-02-11 13:43:40 |
Tristan Cacqueray |
description |
Trying to delete image created using task api (import-from) image gets deleted from the database, but image data remains in the backend.
Steps to reproduce:
1. Create image using task api
$ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress' -H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e' -d '{"type": "import", "input": {"import_from": "http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso", "import_from_format": "raw", "image_properties": {"disk_format": "raw", "container_format": "bare", "name": "task_image"}}}' http://10.69.4.176:9292/v2/tasks
2. wait until image becomes active.
3. Confirm image is in active state.
$ glance image-list
4. Delete the image
$ glance image-delete <image-id>
5. Verify image-list does not show deleted image
$ glance image-list
Image gets deleted from the database but image data presents in the backend.
Problem:
Import task does not update the location of the image and it remains None even image becomes active.
Location entry is not added in the database in image_locations table.
While deleting the image it checks if location is present for image [1][2] then only it deletes that image data from that location.
[1] v1: https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L1066
[2] v2: https://github.com/openstack/glance/blob/master/glance/location.py#L361
This issue is reproducible in stable/juno as well as in current master.
Note: You need to replace auth_token in above curl command, otherwise it will raise error for authentication failure.
(Use 'keystone token-get' command to generate the new token) |
--
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
--
Trying to delete image created using task api (import-from) image gets deleted from the database, but image data remains in the backend.
Steps to reproduce:
1. Create image using task api
$ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress' -H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e' -d '{"type": "import", "input": {"import_from": "http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso", "import_from_format": "raw", "image_properties": {"disk_format": "raw", "container_format": "bare", "name": "task_image"}}}' http://10.69.4.176:9292/v2/tasks
2. wait until image becomes active.
3. Confirm image is in active state.
$ glance image-list
4. Delete the image
$ glance image-delete <image-id>
5. Verify image-list does not show deleted image
$ glance image-list
Image gets deleted from the database but image data presents in the backend.
Problem:
Import task does not update the location of the image and it remains None even image becomes active.
Location entry is not added in the database in image_locations table.
While deleting the image it checks if location is present for image [1][2] then only it deletes that image data from that location.
[1] v1: https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L1066
[2] v2: https://github.com/openstack/glance/blob/master/glance/location.py#L361
This issue is reproducible in stable/juno as well as in current master.
Note: You need to replace auth_token in above curl command, otherwise it will raise error for authentication failure.
(Use 'keystone token-get' command to generate the new token) |
|
2015-02-11 15:02:36 |
Jeremy Stanley |
bug |
|
|
added subscriber Glance Core security contacts |
2015-02-12 00:37:02 |
Kentaro Takeda |
bug |
|
|
added subscriber Tomoko Inoue |
2015-02-12 00:37:26 |
Kentaro Takeda |
bug |
|
|
added subscriber Nobuyoshi NIHONGI |
2015-02-12 00:37:47 |
Kentaro Takeda |
bug |
|
|
added subscriber Shintaro Mizuno |
2015-02-12 05:18:35 |
Tomoko Inoue |
bug |
|
|
added subscriber SamP |
2015-02-12 05:22:37 |
Tomoko Inoue |
bug |
|
|
added subscriber Takashi NATSUME |
2015-02-12 05:23:06 |
Tomoko Inoue |
bug |
|
|
added subscriber Koji Iida |
2015-02-12 05:24:21 |
Tomoko Inoue |
bug |
|
|
added subscriber Masahito Muroi |
2015-02-12 15:13:17 |
Nikhil Komawar |
glance: status |
New |
Triaged |
|
2015-02-12 15:13:22 |
Nikhil Komawar |
glance: importance |
Undecided |
Critical |
|
2015-02-12 15:13:26 |
Nikhil Komawar |
glance: milestone |
|
kilo-3 |
|
2015-02-13 12:33:20 |
Abhishek Kekane |
attachment added |
|
0001-Image-data-remains-in-backend-for-deleted-image.patch https://bugs.launchpad.net/glance/+bug/1420696/+attachment/4318753/+files/0001-Image-data-remains-in-backend-for-deleted-image.patch |
|
2015-02-16 09:45:19 |
Abhishek Kekane |
attachment added |
|
0001-Image-data-remains-in-backend-for-deleted-image.patch https://bugs.launchpad.net/glance/+bug/1420696/+attachment/4320367/+files/0001-Image-data-remains-in-backend-for-deleted-image.patch |
|
2015-02-16 10:22:45 |
Abhishek Kekane |
tags |
ntt |
juno-backport-potential ntt |
|
2015-02-16 15:24:38 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Confirmed |
|
2015-02-16 15:24:42 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2015-02-16 15:24:49 |
Tristan Cacqueray |
ossa: importance |
Undecided |
High |
|
2015-02-16 21:48:48 |
Tristan Cacqueray |
ossa: status |
Confirmed |
Triaged |
|
2015-02-19 14:00:35 |
Thierry Carrez |
nominated for series |
|
glance/juno |
|
2015-02-19 14:00:35 |
Thierry Carrez |
bug task added |
|
glance/juno |
|
2015-02-19 14:00:35 |
Thierry Carrez |
nominated for series |
|
glance/icehouse |
|
2015-02-19 14:00:35 |
Thierry Carrez |
bug task added |
|
glance/icehouse |
|
2015-02-19 14:00:48 |
Thierry Carrez |
tags |
juno-backport-potential ntt |
ntt |
|
2015-02-19 14:01:31 |
Thierry Carrez |
glance/icehouse: status |
New |
Invalid |
|
2015-02-19 14:01:45 |
Thierry Carrez |
glance: status |
Triaged |
In Progress |
|
2015-02-19 14:01:48 |
Thierry Carrez |
glance/juno: status |
New |
In Progress |
|
2015-02-19 14:16:15 |
Thierry Carrez |
information type |
Private Security |
Public Security |
|
2015-02-19 18:28:02 |
Tristan Cacqueray |
summary |
Image data remains in backend after deleting the image created using task api (import-from) |
Image data remains in backend after deleting the image created using task api (import-from) (CVE-2015-1881) |
|
2015-02-23 16:22:31 |
Thierry Carrez |
glance: status |
In Progress |
Fix Committed |
|
2015-02-23 16:22:35 |
Thierry Carrez |
glance/juno: status |
In Progress |
Fix Committed |
|
2015-02-23 16:22:39 |
Thierry Carrez |
ossa: status |
Triaged |
In Progress |
|
2015-02-23 17:17:15 |
Tristan Cacqueray |
summary |
Image data remains in backend after deleting the image created using task api (import-from) (CVE-2015-1881) |
[OSSA 2015-004] Image data remains in backend after deleting the image created using task api (import-from) (CVE-2015-1881) |
|
2015-02-23 18:07:38 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Released |
|
2015-03-19 19:25:02 |
Thierry Carrez |
glance: status |
Fix Committed |
Fix Released |
|
2015-04-09 18:15:40 |
Adam Gandelman |
glance/juno: importance |
Undecided |
Critical |
|
2015-04-09 18:15:40 |
Adam Gandelman |
glance/juno: milestone |
|
2014.2.3 |
|
2015-04-09 18:39:14 |
Adam Gandelman |
glance/juno: assignee |
|
Abhishek Kekane (abhishek-kekane) |
|
2015-04-10 06:26:08 |
Adam Gandelman |
glance/juno: status |
Fix Committed |
Fix Released |
|
2015-04-14 21:24:14 |
Jeremy Stanley |
description |
--
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
--
Trying to delete image created using task api (import-from) image gets deleted from the database, but image data remains in the backend.
Steps to reproduce:
1. Create image using task api
$ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress' -H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e' -d '{"type": "import", "input": {"import_from": "http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso", "import_from_format": "raw", "image_properties": {"disk_format": "raw", "container_format": "bare", "name": "task_image"}}}' http://10.69.4.176:9292/v2/tasks
2. wait until image becomes active.
3. Confirm image is in active state.
$ glance image-list
4. Delete the image
$ glance image-delete <image-id>
5. Verify image-list does not show deleted image
$ glance image-list
Image gets deleted from the database but image data presents in the backend.
Problem:
Import task does not update the location of the image and it remains None even image becomes active.
Location entry is not added in the database in image_locations table.
While deleting the image it checks if location is present for image [1][2] then only it deletes that image data from that location.
[1] v1: https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L1066
[2] v2: https://github.com/openstack/glance/blob/master/glance/location.py#L361
This issue is reproducible in stable/juno as well as in current master.
Note: You need to replace auth_token in above curl command, otherwise it will raise error for authentication failure.
(Use 'keystone token-get' command to generate the new token) |
Trying to delete image created using task api (import-from) image gets deleted from the database, but image data remains in the backend.
Steps to reproduce:
1. Create image using task api
$ curl -i -X POST -H 'User-Agent: python-glanceclient' -H 'Content-Type: application/json' -H 'Accept-Encoding: gzip, deflate, compress' -H 'Accept: */*' -H 'X-Auth-Token: 35a9e49237b74eddbe5057eb434b3f9e' -d '{"type": "import", "input": {"import_from": "http://releases.ubuntu.com/14.10/ubuntu-14.10-server-i386.iso", "import_from_format": "raw", "image_properties": {"disk_format": "raw", "container_format": "bare", "name": "task_image"}}}' http://10.69.4.176:9292/v2/tasks
2. wait until image becomes active.
3. Confirm image is in active state.
$ glance image-list
4. Delete the image
$ glance image-delete <image-id>
5. Verify image-list does not show deleted image
$ glance image-list
Image gets deleted from the database but image data presents in the backend.
Problem:
Import task does not update the location of the image and it remains None even image becomes active.
Location entry is not added in the database in image_locations table.
While deleting the image it checks if location is present for image [1][2] then only it deletes that image data from that location.
[1] v1: https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L1066
[2] v2: https://github.com/openstack/glance/blob/master/glance/location.py#L361
This issue is reproducible in stable/juno as well as in current master.
Note: You need to replace auth_token in above curl command, otherwise it will raise error for authentication failure.
(Use 'keystone token-get' command to generate the new token) |
|
2015-04-30 08:15:25 |
Thierry Carrez |
glance: milestone |
kilo-3 |
2015.1.0 |
|