| 2014-12-16 15:11:51 |
ruhe |
bug |
|
|
added bug |
| 2014-12-16 15:12:12 |
ruhe |
mos: assignee |
|
MOS Glance (mos-glance) |
|
| 2014-12-16 15:14:26 |
ruhe |
mos: status |
Confirmed |
In Progress |
|
| 2014-12-17 16:29:15 |
ruhe |
mos: status |
In Progress |
Fix Committed |
|
| 2014-12-17 16:29:40 |
ruhe |
nominated for series |
|
mos/6.1.x |
|
| 2014-12-17 16:29:40 |
ruhe |
bug task added |
|
mos/6.1.x |
|
| 2014-12-17 16:29:48 |
ruhe |
mos/6.1.x: milestone |
|
6.1 |
|
| 2014-12-17 16:29:55 |
ruhe |
mos/6.1.x: assignee |
|
MOS Glance (mos-glance) |
|
| 2014-12-17 16:29:58 |
ruhe |
mos/6.1.x: importance |
Undecided |
Critical |
|
| 2014-12-17 16:30:03 |
ruhe |
mos/6.1.x: status |
New |
Fix Committed |
|
| 2014-12-23 12:40:30 |
Dmitry Mescheryakov |
nominated for series |
|
mos/6.0.x |
|
| 2014-12-23 12:40:30 |
Dmitry Mescheryakov |
bug task added |
|
mos/6.0.x |
|
| 2015-01-22 10:33:58 |
Tomasz 'Zen' Napierala |
nominated for series |
|
mos/5.0.x |
|
| 2015-01-22 10:33:58 |
Tomasz 'Zen' Napierala |
bug task added |
|
mos/5.0.x |
|
| 2015-01-22 10:33:58 |
Tomasz 'Zen' Napierala |
nominated for series |
|
mos/4.1.x |
|
| 2015-01-22 10:33:58 |
Tomasz 'Zen' Napierala |
bug task added |
|
mos/4.1.x |
|
| 2015-01-22 10:33:58 |
Tomasz 'Zen' Napierala |
nominated for series |
|
mos/5.1.x |
|
| 2015-01-22 10:33:58 |
Tomasz 'Zen' Napierala |
bug task added |
|
mos/5.1.x |
|
| 2015-01-22 10:34:08 |
Tomasz 'Zen' Napierala |
mos/4.1.x: importance |
Undecided |
Critical |
|
| 2015-01-22 10:34:10 |
Tomasz 'Zen' Napierala |
mos/5.0.x: importance |
Undecided |
Critical |
|
| 2015-01-22 10:34:12 |
Tomasz 'Zen' Napierala |
mos/5.1.x: importance |
Undecided |
Critical |
|
| 2015-01-22 10:34:24 |
Tomasz 'Zen' Napierala |
mos/4.1.x: assignee |
|
MOS Glance (mos-glance) |
|
| 2015-01-22 10:34:31 |
Tomasz 'Zen' Napierala |
mos/5.0.x: assignee |
|
MOS Glance (mos-glance) |
|
| 2015-01-22 10:34:40 |
Tomasz 'Zen' Napierala |
mos/5.1.x: assignee |
|
MOS Glance (mos-glance) |
|
| 2015-01-22 10:34:48 |
Tomasz 'Zen' Napierala |
mos/4.1.x: milestone |
|
4.1.2 |
|
| 2015-01-22 10:34:54 |
Tomasz 'Zen' Napierala |
mos/5.0.x: milestone |
|
5.0.3 |
|
| 2015-01-22 10:34:59 |
Tomasz 'Zen' Napierala |
mos/5.1.x: milestone |
|
5.1.1 |
|
| 2015-01-22 17:34:41 |
Dmitry Mescheryakov |
mos/5.1.x: milestone |
5.1.1 |
5.1.2 |
|
| 2015-01-22 17:35:04 |
Dmitry Mescheryakov |
mos/5.1.x: status |
New |
Confirmed |
|
| 2015-01-22 17:35:06 |
Dmitry Mescheryakov |
mos/5.0.x: status |
New |
Confirmed |
|
| 2015-01-22 17:35:08 |
Dmitry Mescheryakov |
mos/4.1.x: status |
New |
Confirmed |
|
| 2015-02-10 14:34:11 |
ruhe |
mos/6.1.x: assignee |
MOS Glance (mos-glance) |
Mike Fedosin (mfedosin) |
|
| 2015-02-10 14:34:43 |
ruhe |
mos/6.1.x: assignee |
Mike Fedosin (mfedosin) |
Alexander Tivelkov (ativelkov) |
|
| 2015-02-10 14:34:51 |
ruhe |
mos/6.0.x: assignee |
MOS Glance (mos-glance) |
Alexander Tivelkov (ativelkov) |
|
| 2015-02-12 10:44:39 |
Dmitry Mescheryakov |
cve linked |
|
2014-9493 |
|
| 2015-03-03 19:29:22 |
Alex Ermolov |
nominated for series |
|
mos/5.1.1-updates |
|
| 2015-03-03 19:29:22 |
Alex Ermolov |
bug task added |
|
mos/5.1.1-updates |
|
| 2015-03-03 19:29:30 |
Alex Ermolov |
mos/5.1.1-updates: milestone |
|
5.1.1-updates |
|
| 2015-03-04 09:23:12 |
Alex Ermolov |
mos/5.1.1-updates: status |
New |
Confirmed |
|
| 2015-03-04 09:23:15 |
Alex Ermolov |
mos/5.1.1-updates: importance |
Undecided |
High |
|
| 2015-03-04 09:23:18 |
Alex Ermolov |
mos/5.1.1-updates: importance |
High |
Critical |
|
| 2015-03-04 10:34:36 |
Vitaly Sedelnik |
mos/5.1.1-updates: assignee |
|
MOS Sustaining (mos-sustaining) |
|
| 2015-03-04 14:57:52 |
Alex Ermolov |
mos/5.1.1-updates: status |
Confirmed |
Won't Fix |
|
| 2015-05-14 17:21:17 |
Timur Nurlygayanov |
description |
Updating image-location by update images API users can download any file for which glance-api has read permission.
And the file for which glance-api has write permission will be deleted when users delete the image.
For example:
When users specify '/etc/passwd' as locations value of an image user can get the file by image download.
When locations of an image is set with 'file:///path/to/glance-api.conf' the conf will be deleted when users delete the image.
How to recreate the bug:
download files:
- set show_multiple_locations True in glance-api.conf
- create a new image
- set locations of the image's property a path you want to get such as file:///etc/passwd.
- download the image
delete files:
- set show_multiple_locations True in glance-api.conf
- create a new image
- set locations of the image's property a path you want to delete such as file:///path/to/glance-api.conf
- delete the image
upstream bug: https://bugs.launchpad.net/glance/+bug/1400966 |
Updating image-location by update images API users can download any file for which glance-api has read permission.
And the file for which glance-api has write permission will be deleted when users delete the image.
For example:
When users specify '/etc/passwd' as locations value of an image user can get the file by image download.
When locations of an image is set with 'file:///path/to/glance-api.conf' the conf will be deleted when users delete the image.
How to reproduce the bug:
download files:
- set show_multiple_locations True in glance-api.conf
- create a new image
- set locations of the image's property a path you want to get such as file:///etc/passwd.
- download the image
delete files:
- set show_multiple_locations True in glance-api.conf
- create a new image
- set locations of the image's property a path you want to delete such as file:///path/to/glance-api.conf
- delete the image
upstream bug: https://bugs.launchpad.net/glance/+bug/1400966 |
|
| 2015-05-20 10:45:58 |
Kyrylo Romanenko |
mos/6.1.x: status |
Fix Committed |
Fix Released |
|
| 2015-06-23 18:37:02 |
Dmitry Mescheryakov |
cve linked |
|
2015-1195 |
|
| 2015-06-23 18:37:12 |
Dmitry Mescheryakov |
cve unlinked |
2014-9493 |
|
|
| 2015-06-23 18:40:38 |
Dmitry Mescheryakov |
information type |
Public |
Public Security |
|
| 2015-10-21 09:06:48 |
Denis Puchkin |
mos/6.0.x: status |
Fix Committed |
Fix Released |
|
| 2015-10-21 09:08:21 |
Denis Puchkin |
mos/5.1.x: assignee |
MOS Glance (mos-glance) |
MOS Maintenance (mos-maintenance) |
|
| 2015-10-21 13:14:17 |
Denis Puchkin |
mos/5.1.x: milestone |
5.1.1-updates |
5.1.1-mu-2 |
|
| 2015-10-23 12:58:40 |
Denis Puchkin |
mos/5.1.x: assignee |
MOS Maintenance (mos-maintenance) |
Denis Puchkin (dpuchkin) |
|
| 2015-11-09 14:58:17 |
Denis Puchkin |
cve linked |
|
2014-9493 |
|
| 2015-11-09 14:58:46 |
Denis Puchkin |
cve unlinked |
2015-1195 |
|
|
| 2015-11-11 10:21:35 |
Vitaly Sedelnik |
mos/5.1.x: status |
Confirmed |
Fix Committed |
|
| 2015-11-13 15:59:15 |
Vadim Rovachev |
mos/5.1.x: status |
Fix Committed |
Fix Released |
|
| 2015-12-11 12:38:26 |
Adam Heczko |
bug |
|
|
added subscriber Adam Heczko |
| 2016-03-21 09:58:20 |
Denis Meltsaykin |
mos/4.1.x: status |
Confirmed |
Won't Fix |
|
| 2016-03-21 09:58:23 |
Denis Meltsaykin |
mos/5.0.x: status |
Confirmed |
Won't Fix |
|
| 2016-06-21 12:56:20 |
Adam Heczko |
tags |
|
feature-security |
|
