I think repeating the same info/mistakes we did with OSSN-0065 is not beneficial. Thus I'd like to avoid go that route and just refer to OSSN-0065 for previous conversation. Thus my take to just remove the section copied from there.
Also realized that the Start of Discussion limits gives impression that this is vulnerable only when the nodes that has show multiple locations enable are public, but that's not the case. Fixin the deployments does not fix the issue, just limits it's accessibility from public.
+This note applies to you if you are operating an end-user-facing
+glance-api service with the 'show_multiple_locations' option set to True
+(the default value is False) or if your end-user-facing glance-api has
+the 'show_image_direct_url' option set to True (default value is False).
+Your exposure is less if you have *only* 'show_image_direct_url=True',
+but the deployment configuration suggested below is recommended for your
+case as well.
I'd change the first paragraph to something like:
This note applies to you if you are operating a glance-api service with the 'show_multiple_locations' option set to True
(the default value is False) or if your end-user-facing glance-api has
the 'show_image_direct_url' option set to True (default value is False).
Your exposure is less if you have *only* 'show_image_direct_url=True' or
your glance-api that has 'show_multiple_locations=True' is deployed internal
service facing only, but the deployment configuration suggested below is
recommended for your case as well.
@Brian
I think repeating the same info/mistakes we did with OSSN-0065 is not beneficial. Thus I'd like to avoid go that route and just refer to OSSN-0065 for previous conversation. Thus my take to just remove the section copied from there.
Also realized that the Start of Discussion limits gives impression that this is vulnerable only when the nodes that has show multiple locations enable are public, but that's not the case. Fixin the deployments does not fix the issue, just limits it's accessibility from public.
+This note applies to you if you are operating an end-user-facing locations' option set to True direct_ url' option set to True (default value is False). direct_ url=True' ,
+glance-api service with the 'show_multiple_
+(the default value is False) or if your end-user-facing glance-api has
+the 'show_image_
+Your exposure is less if you have *only* 'show_image_
+but the deployment configuration suggested below is recommended for your
+case as well.
I'd change the first paragraph to something like: locations' option set to True direct_ url' option set to True (default value is False). direct_ url=True' or locations= True' is deployed internal
This note applies to you if you are operating a glance-api service with the 'show_multiple_
(the default value is False) or if your end-user-facing glance-api has
the 'show_image_
Your exposure is less if you have *only* 'show_image_
your glance-api that has 'show_multiple_
service facing only, but the deployment configuration suggested below is
recommended for your case as well.