Debian Bug report logs -
#799931
CVE-2015-5251: (OSSA 2015-019) Glance image status manipulation
Reported by: Thomas Goirand <zigo@debian.org>
Date: Thu, 24 Sep 2015 12:57:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions glance/2014.1.3-12, glance/2014.1.1-1
Fixed in versions glance/1:11.0.0-3, glance/2014.1.3-12+deb8u1
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#799931; Package src:glance.
(Thu, 24 Sep 2015 12:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Thu, 24 Sep 2015 12:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: glance
Version: 2014.1.3-12
Severity: important
Tags: security patch
OSSA-2015-019: Glance image status manipulation
===============================================
:Date: September 22, 2015
:CVE: CVE-2015-5251
Affects
~~~~~~~
- Glance: <=2014.2.3, >=2015.1.0, <=2015.1.1
Description
~~~~~~~~~~~
Hemanth Makkapati of Rackspace reported a vulnerability in Glance. By
submitting a HTTP PUT request with a "x-image-meta-status" header, a
tenant can manipulate the status of their images. A malicious tenant
may exploit this flaw to reactivate disabled images, bypass storage
quotas and in some cases replace image contents. Setups using the
Glance v1 API allow the illegal modification of image status. Setups
which also use the v2 API may allow a subsequent re-upload of image
contents.
Patches
~~~~~~~
- https://review.openstack.org/226338 (Juno)
- https://review.openstack.org/226337 (Kilo)
- https://review.openstack.org/226336 (Liberty)
Credits
~~~~~~~
- Hemanth Makkapati from Rackspace (CVE-2015-5251)
References
~~~~~~~~~~
- https://bugs.launchpad.net/bugs/1482371
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5251
Notes
~~~~~
- This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo)
releases.
Marked as found in versions glance/2014.1.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 24 Sep 2015 13:42:03 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 24 Sep 2015 13:42:04 GMT) (full text, mbox, link).
Marked as fixed in versions glance/1:11.0.0-3.
Request was from Thomas Goirand <zigo@debian.org>
to control@bugs.debian.org.
(Mon, 23 Nov 2015 10:42:06 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Mon, 23 Nov 2015 23:06:04 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Mon, 23 Nov 2015 23:06:04 GMT) (full text, mbox, link).
Message #16 received at 799931-done@bugs.debian.org (full text, mbox, reply):
Bug fixed in both Stable & Sid
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Thu, 26 Nov 2015 21:21:37 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Thu, 26 Nov 2015 21:21:37 GMT) (full text, mbox, link).
Message #21 received at 799931-close@bugs.debian.org (full text, mbox, reply):
Source: glance
Source-Version: 2014.1.3-12+deb8u1
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 799931@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 13 Nov 2015 14:22:12 +0100
Source: glance
Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry
Architecture: source all
Version: 2014.1.3-12+deb8u1
Distribution: jessie-proposed-updates
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
glance - OpenStack Image Service - metapackage
glance-api - OpenStack Image Service - API server
glance-common - OpenStack Image Service - common files
glance-registry - OpenStack Image Service - registry server
python-glance - OpenStack Image Service - Python client library
python-glance-doc - OpenStack Image Service - Python library documentation
Closes: 799931
Changes:
glance (2014.1.3-12+deb8u1) jessie-proposed-updates; urgency=medium
.
* CVE-2015-5251: Glance image status manipulation. Applied upstream patch
after rebasing it from Juno to Icehouse (Closes: #799931).
Checksums-Sha1:
ca273569852c53e886f0f7c387a789af23471315 3470 glance_2014.1.3-12+deb8u1.dsc
b0f054dfb7773ed361f2b579e2145ccb5bde039f 45292 glance_2014.1.3-12+deb8u1.debian.tar.xz
ea4a69c22eb9cbd2ebe4a33ea6db2d0bded95049 410434 python-glance_2014.1.3-12+deb8u1_all.deb
5a353bf3984570d49e7f56d5273b16c57d3d72e5 9780 glance_2014.1.3-12+deb8u1_all.deb
4816e0ad2b61c71e8babae56be1ca0ead14d4ae0 215436 python-glance-doc_2014.1.3-12+deb8u1_all.deb
2e38459f6db4346df66ad04baa18d33829ea7018 50236 glance-common_2014.1.3-12+deb8u1_all.deb
fc9225c3d17cc5af4bc81681afd57c1a1b9ef8b6 45834 glance-api_2014.1.3-12+deb8u1_all.deb
ff2ccff8330f864f6c0de238c0bafb98641aaa20 14474 glance-registry_2014.1.3-12+deb8u1_all.deb
Checksums-Sha256:
7b792b61eb667f0de7adc1d1b4afadb61ffe9154e6086574c8e8e597b62b7607 3470 glance_2014.1.3-12+deb8u1.dsc
bdc3484fb7830fc48f4677a24b665d7e0e7a5bd5d9dd2f8a57d7824dcd36e7d4 45292 glance_2014.1.3-12+deb8u1.debian.tar.xz
86c5d9ce63061a5376eb2aba5d4fd0844fa874aaaa84f84e016c1c7bf454d6f7 410434 python-glance_2014.1.3-12+deb8u1_all.deb
03ec5aaea9b283328ab7fd5cb41ff7fb1ebd23ef41eb27f77971ce2641ed2beb 9780 glance_2014.1.3-12+deb8u1_all.deb
432cc02355e282f4cdb8e440ab2442dba405c053b65847217240ef687185e25f 215436 python-glance-doc_2014.1.3-12+deb8u1_all.deb
0aa83af633051d6dedf90b59678555d7996dc77398a5bc4fa12d72a19b861777 50236 glance-common_2014.1.3-12+deb8u1_all.deb
a304514f64993ec857581cae1eebe2ad05bc7dde21b27aa40c060b4cf92785b3 45834 glance-api_2014.1.3-12+deb8u1_all.deb
be120bee9bf2644ea61700667215f6fc70e9909cbbdffcdf26cd03b743861215 14474 glance-registry_2014.1.3-12+deb8u1_all.deb
Files:
6a6f76ca64239111503162171e39f204 3470 net extra glance_2014.1.3-12+deb8u1.dsc
f64cce2c5fddd5baf5eaf3e01c10afcf 45292 net extra glance_2014.1.3-12+deb8u1.debian.tar.xz
ad635fa15a8fba17caba5c749c55477f 410434 python extra python-glance_2014.1.3-12+deb8u1_all.deb
8495f397476679558eae742c5e56f0bf 9780 python extra glance_2014.1.3-12+deb8u1_all.deb
1848be358f1dbf2f64a466ffa0a57e2c 215436 doc extra python-glance-doc_2014.1.3-12+deb8u1_all.deb
bc792a7426487107285c8555d9d02125 50236 python extra glance-common_2014.1.3-12+deb8u1_all.deb
a7e654d614c97cb1bd258abe51e43f04 45834 python extra glance-api_2014.1.3-12+deb8u1_all.deb
0e2a8564cdb77686fb42584a4d890ea1 14474 python extra glance-registry_2014.1.3-12+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWReq9AAoJENQWrRWsa0P+68YP/A2kYAxYxcCw+rjruuuotLww
SkMcOETet193LhcGmhIUPOwLcE6Vr6cpoYLDId2KboofffHUrOhedMUfpe7Y8mNX
mJdLlbDXvKmaFk1Ls4kgPLqEOzfkRb+ajJCmhPl9htFrugKfwrH96mUuzILzYALP
FuE9lcvlrfwgrWzT1C1k8nk2aq4Q33xsx9JtgmHAjQyseTLPAEaeEqUs+TT6r+bU
7d2nkvpZ3E0y4AOvxilwgQrRrn7T7ra9WKS4gI3mhTIrcaYR4mKRK3OO1e2zVQp2
i82si+UmEZKaN9XHKxl9TVNO6rPSh0mEV/cc0GwzGC5inAf6BhLY+hFEhLH1SjTj
fZ7/UEgLS9C2BEYbiSnkuV0P1ycSu6gUymvbTvhoZ1dCUjqZEfy3R5F6ePP2MyYs
z9VaR90rciXdH2uxjxveEQJnVCAA8MvmzvQKpeQlp/aArb0kjq6shVa3fyQI0ZXp
9TGaWfcSaanz8TScW2R/MYN6GdIVB/n3dFKr6JdxR+qTT2/rOu1lJJUSGpuiMi6v
N8OzVG3NPpfRTlcbOcONF3SQpkBjYxSXUs7lur4tS20i6Tx4c5fYFb5mwN7jhQld
C0/8Ou8o1PtlIsSmUROntoP/RAU5W1u3k5StjxBkesdBtsmMb1+b4cvsK8mgcbkr
fWzltZIxceKz3bf7BS7r
=zjX6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 25 Dec 2015 07:27:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:25:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon