[OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)
Bug #1408663 reported by
Thierry Carrez
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Glance |
Fix Released
|
Critical
|
Grant Murphy | ||
| Icehouse |
Fix Released
|
Critical
|
Grant Murphy | ||
| Juno |
Fix Released
|
Critical
|
Grant Murphy | ||
| OpenStack Security Advisory |
Fix Released
|
Critical
|
Unassigned | ||
Bug Description
Jin Liu reported that OSSA-2014-041 (CVE-2014-9493) only fixed the vulnerability for swift: and file: URI, but overlooked filesystem: URIs.
Please see bug 1400966 for historical reference.
CVE References
| information type: | Public → Public Security |
| Changed in ossa: | |
| importance: | Undecided → Critical |
| status: | New → Confirmed |
| summary: |
[OSSA-2015-002] Glance still allows users to download and delete any - file in glance-api server + file in glance-api server (CVE-2015-1195) |
| Changed in ossa: | |
| status: | In Progress → Fix Released |
| Changed in glance: | |
| milestone: | none → kilo-2 |
| status: | Fix Committed → Fix Released |
| Changed in glance: | |
| milestone: | kilo-2 → 2015.1.0 |
To post a comment you must log in.

Master fix proposed at https:/ /review. openstack. org/#/c/ 145640/