[OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)
Bug #1408663 reported by
Thierry Carrez
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Critical
|
Grant Murphy | ||
Icehouse |
Fix Released
|
Critical
|
Grant Murphy | ||
Juno |
Fix Released
|
Critical
|
Grant Murphy | ||
OpenStack Security Advisory |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Jin Liu reported that OSSA-2014-041 (CVE-2014-9493) only fixed the vulnerability for swift: and file: URI, but overlooked filesystem: URIs.
Please see bug 1400966 for historical reference.
CVE References
information type: | Public → Public Security |
Changed in ossa: | |
importance: | Undecided → Critical |
status: | New → Confirmed |
summary: |
[OSSA-2015-002] Glance still allows users to download and delete any - file in glance-api server + file in glance-api server (CVE-2015-1195) |
Changed in ossa: | |
status: | In Progress → Fix Released |
Changed in glance: | |
milestone: | none → kilo-2 |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | kilo-2 → 2015.1.0 |
To post a comment you must log in.
Master fix proposed at https:/ /review. openstack. org/#/c/ 145640/