Bugzilla – Bug 892779
VUL-0: CVE-2014-5356: openstack-glance: Glance store disk space exhaustion
Last modified: 2015-03-25 15:44:06 UTC
The OpenStack project reports:
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a
vulnerability in Glance. By uploading a large enough image to a Glance
store, an authenticated user may fill the store space because the
image_size_cap configuration option is not honored. This may prevent
further image upload and/or cause service disruption. Note that the
import method is not affected. All Glance setups using API v2 are
affected (unless you use a policy to restrict/disable image upload).
This affects versions up to 2013.2.3 and 2014.1 to 2014.1.2.
bugbot adjusting priority
Patches are committed upstream, so I guess we can just submit the packages for Cloud 3 and Cloud 4.
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-10-24.
SUSE-SU-2014:1341-1: An update that solves one vulnerability and has one errata is now available.
Category: security (low)
Bug References: 892779,897815
CVE References: CVE-2014-5356
SUSE Cloud 4 (src): openstack-glance-2014.1.3.dev8.gf43b1c2-0.7.1, openstack-glance-doc-2014.1.3.dev8.gf43b1c2-0.7.1
Cloud 3 update still missing? It was submitted and accepted already