Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2013-1840: Backend credentials leak in Glance v1 API

Related Vulnerabilities: CVE-2013-1840  

Source

Debian Bug report logs - #703063
CVE-2013-1840: Backend credentials leak in Glance v1 API

version graph

Package: src:glance; Maintainer for src:glance is Debian OpenStack <team+openstack@tracker.debian.org>;

Reported by: Thomas Goirand <zigo@debian.org>

Date: Thu, 14 Mar 2013 20:51:01 UTC

Severity: grave

Tags: security

Fixed in versions glance/2012.1.1-5, glance/2012.2.3-2

Done: Thomas Goirand <zigo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#703063; Package src:glance. (Thu, 14 Mar 2013 20:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>. (Thu, 14 Mar 2013 20:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2013-1840: Backend credentials leak in Glance v1 API
Date: Fri, 15 Mar 2013 04:46:22 +0800
Source: glance
Severity: grave
Tags: security

Stuart McLaren from HP reported a vulnerability in the information
potentially returned to the user in Glance v1 API. If an authenticated
user requests, through the v1 API, an image that is already cached, the
headers returned may disclose the Glance operator's backend credentials
for that endpoint. Only setups accepting the Glance v1 API and using
either the single-tenant Swift store or S3 store are affected.

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Thu, 14 Mar 2013 21:21:25 GMT) (full text, mbox, link).

Notification sent to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer. (Thu, 14 Mar 2013 21:21:25 GMT) (full text, mbox, link).

Message #10 received at 703063-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: 703063-close@bugs.debian.org
Subject: Bug#703063: fixed in glance 2012.1.1-5
Date: Thu, 14 Mar 2013 21:17:40 +0000
Source: glance
Source-Version: 2012.1.1-5

We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 703063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated glance package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 15 Mar 2013 04:35:22 +0800
Source: glance
Binary: python-glance glance-common glance-api glance-registry glance python-glance-doc
Architecture: source all
Version: 2012.1.1-5
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 glance     - OpenStack Image Service - metapackage
 glance-api - OpenStack Image Service - API server
 glance-common - OpenStack Image Service - common files
 glance-registry - OpenStack Image Service - registry server
 python-glance - OpenStack Image Service - Python client library
 python-glance-doc - OpenStack Image Service - Python library documentation
Closes: 703063
Changes: 
 glance (2012.1.1-5) unstable; urgency=high
 .
   * CVE-2013-1840: fixes "Backend credentials leak in Glance v1 API"
     (Closes: #703063).
Checksums-Sha1: 
 9e1f285247cec1857463a31f8f9be470f68eaeb1 1971 glance_2012.1.1-5.dsc
 09493a1ef53c141090affb47d27d3e185debdd2c 26860 glance_2012.1.1-5.debian.tar.gz
 94b95ecf4be907df10ccec7ceaea04b0ecd27d64 235606 python-glance_2012.1.1-5_all.deb
 0d9ced386a05a4bee488bc3f8198cd4555ed8214 27624 glance-common_2012.1.1-5_all.deb
 a051ecf3660b8fea76ff46c920866343401e772c 25588 glance-api_2012.1.1-5_all.deb
 dd16d4227ed07b64d219a31e25e27370b8fb744b 14886 glance-registry_2012.1.1-5_all.deb
 7ae2ee85971aaee3a3da8f0798d4a2c7ca40feeb 5292 glance_2012.1.1-5_all.deb
 426d8deef553ddd69ae2e4f680ab4e1664e01d66 137938 python-glance-doc_2012.1.1-5_all.deb
Checksums-Sha256: 
 5c22b1ff25788b99f1cc46d0f0ea363bc9c5f93a7acc7dc63f86de8fa12d5e50 1971 glance_2012.1.1-5.dsc
 6a3fc6377720325641b1475b45ee2a86745119749d93f53f7e6e78339fe8c149 26860 glance_2012.1.1-5.debian.tar.gz
 59fc54466ddd37a933c043634cd91cb8d9461de062f7c14d489357e646b9bc8f 235606 python-glance_2012.1.1-5_all.deb
 16bab5741277172be653ab7281d3928dc0e6e174bbb2a78a6542acc387de826b 27624 glance-common_2012.1.1-5_all.deb
 0d421d11a9c02b6d243e7317d18d461d8799066cf739d7be8125353e2622ce68 25588 glance-api_2012.1.1-5_all.deb
 915bf63d794468da05d34762f51ce53335364c9dceacf0019d09362b58cb4253 14886 glance-registry_2012.1.1-5_all.deb
 d6c3d1fefcbe67c0c2afb149979b96e6c7c922c22eb391484588e2a2929d3008 5292 glance_2012.1.1-5_all.deb
 602cc0065d9d785ac4285a9d34f7ff552a603ac960838ec0c58ddb1d75f88caf 137938 python-glance-doc_2012.1.1-5_all.deb
Files: 
 3bad480743b90449cd820627ffd31593 1971 net extra glance_2012.1.1-5.dsc
 3c2e337b547dda8078207222980116ad 26860 net extra glance_2012.1.1-5.debian.tar.gz
 16a6d20c134b3266b26de6d191d3358f 235606 python extra python-glance_2012.1.1-5_all.deb
 26fa962334159763f42b34887d7f7ea8 27624 python extra glance-common_2012.1.1-5_all.deb
 e3a8eb3ff23bfb76a815011003dee0c7 25588 python extra glance-api_2012.1.1-5_all.deb
 08524f6af4c919aae9b7fe7b711263bf 14886 python extra glance-registry_2012.1.1-5_all.deb
 8b26910bccbd6bfab66e533ccd4b1de8 5292 python extra glance_2012.1.1-5_all.deb
 676ff2b2ecfb66aef23828f577814bd2 137938 doc extra python-glance-doc_2012.1.1-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFCPG8ACgkQl4M9yZjvmkn7CACgrGWFI29DN0Ybtn2Tjnft7aKX
28QAoMifkXLFnco6bPzK32hRGDeaU3hS
=8m6N
-----END PGP SIGNATURE-----

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Thu, 14 Mar 2013 21:36:09 GMT) (full text, mbox, link).

Notification sent to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer. (Thu, 14 Mar 2013 21:36:10 GMT) (full text, mbox, link).

Message #15 received at 703063-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: 703063-close@bugs.debian.org
Subject: Bug#703063: fixed in glance 2012.2.3-2
Date: Thu, 14 Mar 2013 21:32:36 +0000
Source: glance
Source-Version: 2012.2.3-2

We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 703063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated glance package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 15 Mar 2013 04:57:35 +0800
Source: glance
Binary: python-glance glance-common glance-api glance-registry glance python-glance-doc
Architecture: source all
Version: 2012.2.3-2
Distribution: experimental
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 glance     - OpenStack Image Service - metapackage
 glance-api - OpenStack Image Service - API server
 glance-common - OpenStack Image Service - common files
 glance-registry - OpenStack Image Service - registry server
 python-glance - OpenStack Image Service - Python client library
 python-glance-doc - OpenStack Image Service - Python library documentation
Closes: 703063
Changes: 
 glance (2012.2.3-2) experimental; urgency=low
 .
   * CVE-2013-1840: fixes "Backend credentials leak in Glance v1 API"
     (Closes: #703063).
Checksums-Sha1: 
 52574ebc923cfcd4618769594ed9eaf4b4532616 2090 glance_2012.2.3-2.dsc
 7a40f4ef4e28b4eeb26ef980d7dbc7242000f4d6 231823 glance_2012.2.3-2.debian.tar.gz
 2d164ea5f5f575357264f3fe08269f404d03e786 435114 python-glance_2012.2.3-2_all.deb
 cfcfd58c8abc76bb5ffd5c24c73638f9c011e7c9 227670 glance-common_2012.2.3-2_all.deb
 6b732e1d49e92e5a095420df1aeb5879671e9f77 221564 glance-api_2012.2.3-2_all.deb
 afe31f2e5d1e5eb4ca297146009fa4797725d51c 211828 glance-registry_2012.2.3-2_all.deb
 5372435293dd5ca7429e060e709974fd19295b16 209830 glance_2012.2.3-2_all.deb
 95887e5fd03f9bdb388d7df1710a96725aeacfd4 291640 python-glance-doc_2012.2.3-2_all.deb
Checksums-Sha256: 
 bfe54dafc2d5843168a8c6af6a59374e7d9d7125abb710c0498f0d81c739f409 2090 glance_2012.2.3-2.dsc
 03190d127bddd78e4040a95e8777a388239a6654cd273a4774ca5d462d361178 231823 glance_2012.2.3-2.debian.tar.gz
 f90b529e5b9c3fdb7a257e5ba5bc6b1f7fe15b5872048924ffb214a446d0b0b4 435114 python-glance_2012.2.3-2_all.deb
 6f5ca7970a57a485301a27e48bd67b70df418bd1e2706fcecfbcb42ff1d2a393 227670 glance-common_2012.2.3-2_all.deb
 2657761dd13d84756fa1d5a2b9124337ee8eae03fc35d7073ada106983811e37 221564 glance-api_2012.2.3-2_all.deb
 b1f5a589ffb11a46f293a9493a419f6100151c5fa6d1744783d2edfc873ba773 211828 glance-registry_2012.2.3-2_all.deb
 966c92320992989f500c0eab11d28a8c62fbdfbcb7f8bada494df83e3c779df3 209830 glance_2012.2.3-2_all.deb
 ee863e27a5796ff6e9f6e647aa26aa4b3e07e2a50c7dc1a8ea8b8c7316f6101e 291640 python-glance-doc_2012.2.3-2_all.deb
Files: 
 a14297b835033e9ceda1d024583b701f 2090 net extra glance_2012.2.3-2.dsc
 1d3a269dd35a96765a046f2462e5715d 231823 net extra glance_2012.2.3-2.debian.tar.gz
 6b3877419b7307845c2bbdfb726538c5 435114 python extra python-glance_2012.2.3-2_all.deb
 9246527971914fe4bcc8d3c09a052374 227670 python extra glance-common_2012.2.3-2_all.deb
 528648584f2cf78d7bb01e36d9b11101 221564 python extra glance-api_2012.2.3-2_all.deb
 f4385e07843dee23fc5869eb33572ea9 211828 python extra glance-registry_2012.2.3-2_all.deb
 81b68aac560dd23a567076a22eb24503 209830 python extra glance_2012.2.3-2_all.deb
 92c9cfcc0042af78acc4973840b6d5c2 291640 doc extra python-glance-doc_2012.2.3-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFCP1kACgkQl4M9yZjvmknBRACg5hb9CnB07x792UGWWI4LOQn5
+S8AoOOaDq0WCU/9lq7yLsi5/Vby4zff
=wdjt
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 15 Apr 2013 07:32:11 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:40:21 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started