Bugzilla – Bug 892779
VUL-0: CVE-2014-5356: openstack-glance: Glance store disk space exhaustion
Last modified: 2015-03-25 15:44:06 UTC
Via rh#1131770 The OpenStack project reports: "" Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration option is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected (unless you use a policy to restrict/disable image upload). "" This affects versions up to 2013.2.3 and 2014.1 to 2014.1.2. References: https://bugzilla.redhat.com/show_bug.cgi?id=1131770 http://seclists.org/oss-sec/2014/q3/410 https://bugs.launchpad.net/glance/+bug/1315321 https://review.openstack.org/#/c/91764/
bugbot adjusting priority
Patches are committed upstream, so I guess we can just submit the packages for Cloud 3 and Cloud 4.
Affected packages: SLE-11-SP3-CL4: openstack-glance
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2014-10-24. https://swamp.suse.de/webswamp/wf/59124
SUSE-SU-2014:1341-1: An update that solves one vulnerability and has one errata is now available. Category: security (low) Bug References: 892779,897815 CVE References: CVE-2014-5356 Sources used: SUSE Cloud 4 (src): openstack-glance-2014.1.3.dev8.gf43b1c2-0.7.1, openstack-glance-doc-2014.1.3.dev8.gf43b1c2-0.7.1
Cloud 3 update still missing? It was submitted and accepted already