Debian Bug report logs -
#793896
glance: CVE-2015-3289: Glance task flow may fail to delete image from backend
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 28 Jul 2015 17:45:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version glance/2015.1.0-1
Fixed in version glance/2015.1.0-4
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#793896; Package src:glance.
(Tue, 28 Jul 2015 17:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Tue, 28 Jul 2015 17:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: glance
Version: 2015.1.0-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for glance.
CVE-2015-3289[0]:
Glance task flow may fail to delete image from backend
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3289
[1] http://www.openwall.com/lists/oss-security/2015/07/28/6
Regards,
Salvatore
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Wed, 29 Jul 2015 16:57:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 29 Jul 2015 16:57:17 GMT) (full text, mbox, link).
Message #10 received at 793896-done@bugs.debian.org (full text, mbox, reply):
Hi,
This bug doesn't affect Icehouse, and therefore Jessie isn't affected,
and the issue was fixed on the latest upload to Sid. So the issue is
fixed effectively.
Cheers,
Thomas Goirand (zigo)
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#793896; Package src:glance.
(Wed, 29 Jul 2015 17:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Wed, 29 Jul 2015 17:39:03 GMT) (full text, mbox, link).
Message #15 received at 793896@bugs.debian.org (full text, mbox, reply):
Control: reopen -1
Hi Thomas,
> This bug doesn't affect Icehouse, and therefore Jessie isn't affected,
> and the issue was fixed on the latest upload to Sid. So the issue is
> fixed effectively.
But this does not look correct IMHO. The issue affects 2015.1.0, and
https://review.openstack.org/#/c/181345/ is not applied up to
2015.1.0-3.
I see the commit
https://anonscm.debian.org/cgit/openstack/glance.git/commit/?id=bc54dad1ebd273f6648647498e9646369f3a413b
but the version accepted into the archive
https://tracker.debian.org/news/700977
does not contain the patch applied.
What am I missing?
Regards,
Salvatore
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 793896-submit@bugs.debian.org.
(Wed, 29 Jul 2015 17:39:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 29 Jul 2015 17:45:08 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Sun, 16 Aug 2015 09:39:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 16 Aug 2015 09:39:10 GMT) (full text, mbox, link).
Message #24 received at 793896-close@bugs.debian.org (full text, mbox, reply):
Source: glance
Source-Version: 2015.1.0-4
We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 793896@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated glance package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 12 Aug 2015 14:52:22 +0200
Source: glance
Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry
Architecture: source all
Version: 2015.1.0-4
Distribution: unstable
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
glance - OpenStack Image Service - metapackage
glance-api - OpenStack Image Service - API server
glance-common - OpenStack Image Service - common files
glance-registry - OpenStack Image Service - registry server
python-glance - OpenStack Image Service - Python client library
python-glance-doc - OpenStack Image Service - Python library documentation
Closes: 793896
Changes:
glance (2015.1.0-4) unstable; urgency=medium
.
* Fixes CVE-2015-5163: Don't import files with backed files.
* Really upload fix for CVE-2015-3289 (Closes: #793896).
Checksums-Sha1:
78e83e4ff1cdd1aefc25aa86509e35c39fff2809 3614 glance_2015.1.0-4.dsc
6e187fb8cee7df3dba0dbd835c806e73d6fed488 37392 glance_2015.1.0-4.debian.tar.xz
e73ee60b0b31ab65409cc5e8458b71238b789026 35916 glance-api_2015.1.0-4_all.deb
796b661fe083dc3532e1a646884a4eb857a3912d 42084 glance-common_2015.1.0-4_all.deb
63ce0cceebf81991e62e94a26bc3ef191e8e16ed 14178 glance-registry_2015.1.0-4_all.deb
346e6fd53601cffed8e33dbe94922fbca4add0fb 9486 glance_2015.1.0-4_all.deb
35d6aa654957f851fa86a33a4d999affbd92b32e 281480 python-glance-doc_2015.1.0-4_all.deb
be9e70622cce02b026ab368b3b559998e91603e9 440696 python-glance_2015.1.0-4_all.deb
Checksums-Sha256:
5f46e8618b9d25638ecc53bee3c737cd70662ee1f972b096c1ea81e3a70fbfd6 3614 glance_2015.1.0-4.dsc
8389f1e09211d32bb02b1bfd504fd78f71c05381ca0901ceeb65d5c582cb6156 37392 glance_2015.1.0-4.debian.tar.xz
ed0aac3e20aed81aabea23d5a8de7b49903bf007a2c8ad2dfa7c4680f2a1074a 35916 glance-api_2015.1.0-4_all.deb
e0e6027077ba9bf09aa815286c4b4a309476fe426dc251ceaa0e40fb75f87ff3 42084 glance-common_2015.1.0-4_all.deb
656f37d765ca71ca02c3e5647978174a59def880668f084c01bc8723087d7157 14178 glance-registry_2015.1.0-4_all.deb
accbcd284a6ef892a95628d484e738ab438b3a421a78a23b3a0e27ac76026395 9486 glance_2015.1.0-4_all.deb
dd14be73dd9e0dad781230801c565465309ae1c9a36125142aeb6cdd957a9422 281480 python-glance-doc_2015.1.0-4_all.deb
b6ecaa88558fca9d5aec3a6015f4ed918504dfa9a5afd9eaeaf20741d72b4ce7 440696 python-glance_2015.1.0-4_all.deb
Files:
af876c6df433b4ca538101d37f57e8d0 3614 net extra glance_2015.1.0-4.dsc
a6337cd63f2072433f11bd7630a4fda9 37392 net extra glance_2015.1.0-4.debian.tar.xz
6a066b2abca637df232e6e160086a2bb 35916 python extra glance-api_2015.1.0-4_all.deb
71b3e1e8d3373c2e4d4fec5b06181bc4 42084 python extra glance-common_2015.1.0-4_all.deb
c46706b57b4c307ac711cff571b64a24 14178 python extra glance-registry_2015.1.0-4_all.deb
dee92a70f822e4f42f66dc0dbdf58331 9486 python extra glance_2015.1.0-4_all.deb
baecd9b69e31898fe5da833a1a46eddf 281480 doc extra python-glance-doc_2015.1.0-4_all.deb
b27f1d3f915ab25efd4511b8acaad772 440696 python extra python-glance_2015.1.0-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJV0EfWAAoJENQWrRWsa0P+hjEP/il1q+r3xhkcvbzzHzm+Yh4B
XL68IF7v9Kj39LMUckNVmRbyPXRmj0fu+Ekq6PF64RxMoIGZ+5GPiFmqmk3cRII3
w6GzLG+aQF81m9Tb1QKOunFsFCfxFZPKMWoAzit1y01gT1Y/KW1FzNghbLuVD5WD
nRbqS5nzHsHIUy6uHZUoWZG14CKGCNw5G1tDOhY+ElulQCk429ojWXxTCnBxKNk4
xFuLRBi9DvRf6R0khilSnDrXtZrxEdhF+W2WPABTNRgv+i1w5irTB81joow94NJb
xfXiOaqptboa9hqo9sa9ckBUb1wA1uBG4HGGeHVYN4lv1u0VAb9No4MbpuZf50/s
MXox07Mcze2OL02kgbQJoIOQQXLiP+i8t0DAWayXqVRxwZY9HgMS8b2uJYlpxwmP
P4SG4+hlWgtEApZ+aVFlEL9RkG9Hq79RdHGOHPV5RA03uxWbG7VkRKH50qVLyf4u
LLFf06XDOut5C5riaqMjtGZXmixp2MPolOs4N0vQbBlPt6uOwH/bB8SbUYMxXMke
JzQs01hIek/Gb4GX3zENKjgXe5dzCYJxF9j4qpNGf3B1e3HLqz+01OIwCSHzzyfS
Ez7sZZfeQVYnm8tcfwbu1LKm3grdLHWmxaqj9pDCxGuDy1f1/jFadU6iVAOwWwsp
X90oI9nM5MfbLbcCl08x
=Kg8X
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 19 Sep 2015 07:50:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:20:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon