Debian Bug report logs -
#680110
nova: Arbitrary file injection/corruption through directory traversal
Reported by: Yves-Alexis Perez <corsac@debian.org>
Date: Tue, 3 Jul 2012 16:51:02 UTC
Severity: grave
Tags: security
Fixed in version nova/2012.1.1-2
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>
:
Bug#680110
; Package nova
.
(Tue, 03 Jul 2012 16:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>
.
(Tue, 03 Jul 2012 16:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nova
Severity: grave
Tags: security
Justification: user security hole
Hey,
two issues were found in nova compute nodes, allowing arbitrary file
corruption or injection on the host.
More details can be found on
http://www.openwall.com/lists/oss-security/2012/07/03/2
CVE-2012-3360, and CVE-2012-3361 have been allocated.
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply sent
to Thomas Goirand <zigo@debian.org>
:
You have taken responsibility.
(Tue, 03 Jul 2012 21:31:44 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>
:
Bug acknowledged by developer.
(Tue, 03 Jul 2012 21:31:45 GMT) (full text, mbox, link).
Message #10 received at 680110-close@bugs.debian.org (full text, mbox, reply):
Source: nova
Source-Version: 2012.1.1-2
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive:
nova-api-ec2_2012.1.1-2_all.deb
to main/n/nova/nova-api-ec2_2012.1.1-2_all.deb
nova-api-metadata_2012.1.1-2_all.deb
to main/n/nova/nova-api-metadata_2012.1.1-2_all.deb
nova-api-os-compute_2012.1.1-2_all.deb
to main/n/nova/nova-api-os-compute_2012.1.1-2_all.deb
nova-api-os-volume_2012.1.1-2_all.deb
to main/n/nova/nova-api-os-volume_2012.1.1-2_all.deb
nova-api_2012.1.1-2_all.deb
to main/n/nova/nova-api_2012.1.1-2_all.deb
nova-cert_2012.1.1-2_all.deb
to main/n/nova/nova-cert_2012.1.1-2_all.deb
nova-common_2012.1.1-2_all.deb
to main/n/nova/nova-common_2012.1.1-2_all.deb
nova-compute-kvm_2012.1.1-2_all.deb
to main/n/nova/nova-compute-kvm_2012.1.1-2_all.deb
nova-compute-lxc_2012.1.1-2_all.deb
to main/n/nova/nova-compute-lxc_2012.1.1-2_all.deb
nova-compute-qemu_2012.1.1-2_all.deb
to main/n/nova/nova-compute-qemu_2012.1.1-2_all.deb
nova-compute-uml_2012.1.1-2_all.deb
to main/n/nova/nova-compute-uml_2012.1.1-2_all.deb
nova-compute-xen_2012.1.1-2_all.deb
to main/n/nova/nova-compute-xen_2012.1.1-2_all.deb
nova-compute_2012.1.1-2_all.deb
to main/n/nova/nova-compute_2012.1.1-2_all.deb
nova-console_2012.1.1-2_all.deb
to main/n/nova/nova-console_2012.1.1-2_all.deb
nova-doc_2012.1.1-2_all.deb
to main/n/nova/nova-doc_2012.1.1-2_all.deb
nova-network_2012.1.1-2_all.deb
to main/n/nova/nova-network_2012.1.1-2_all.deb
nova-objectstore_2012.1.1-2_all.deb
to main/n/nova/nova-objectstore_2012.1.1-2_all.deb
nova-scheduler_2012.1.1-2_all.deb
to main/n/nova/nova-scheduler_2012.1.1-2_all.deb
nova-volume_2012.1.1-2_all.deb
to main/n/nova/nova-volume_2012.1.1-2_all.deb
nova-xcp-network_2012.1.1-2_all.deb
to main/n/nova/nova-xcp-network_2012.1.1-2_all.deb
nova-xcp-plugins_2012.1.1-2_all.deb
to main/n/nova/nova-xcp-plugins_2012.1.1-2_all.deb
nova-xvpvncproxy_2012.1.1-2_all.deb
to main/n/nova/nova-xvpvncproxy_2012.1.1-2_all.deb
nova_2012.1.1-2.debian.tar.gz
to main/n/nova/nova_2012.1.1-2.debian.tar.gz
nova_2012.1.1-2.dsc
to main/n/nova/nova_2012.1.1-2.dsc
python-nova_2012.1.1-2_all.deb
to main/n/nova/python-nova_2012.1.1-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 680110@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated nova package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 03 Jul 2012 18:18:38 +0000
Source: nova
Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-uml nova-compute-xen nova-compute-qemu nova-compute-kvm nova-scheduler nova-volume nova-api nova-network nova-objectstore nova-console nova-cert nova-xcp-plugins nova-xcp-network nova-doc nova-xvpvncproxy nova-api-metadata nova-api-os-compute nova-api-os-volume nova-api-ec2
Architecture: source all
Version: 2012.1.1-2
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
nova-api - OpenStack Compute - compute API frontend
nova-api-ec2 - OpenStack Compute - EC2 API frontend
nova-api-metadata - OpenStack Compute - metadata API frontend
nova-api-os-compute - OpenStack Compute - compute API frontend
nova-api-os-volume - OpenStack Compute - Volume API frontend
nova-cert - OpenStack Compute - certificate manager
nova-common - OpenStack Compute - common files
nova-compute - OpenStack Compute - compute node
nova-compute-kvm - OpenStack Compute - compute node (KVM)
nova-compute-lxc - OpenStack Compute - compute node (LXC)
nova-compute-qemu - OpenStack Compute - compute node (QEmu)
nova-compute-uml - OpenStack Compute - compute node (UserModeLinux)
nova-compute-xen - OpenStack Compute - compute node (Xen)
nova-console - OpenStack Compute - console
nova-doc - OpenStack Compute - documentation
nova-network - OpenStack Compute - network manager
nova-objectstore - OpenStack Compute - object store
nova-scheduler - OpenStack Compute - virtual machine scheduler
nova-volume - OpenStack Compute - storage
nova-xcp-network - OpenStack Compute network plugin for the Xen Cloud Platform
nova-xcp-plugins - OpenStack Compute plugin for the Xen Cloud Platform
nova-xvpvncproxy - OpenStack Compute - XVP VNC proxy
python-nova - OpenStack Compute - libraries
Closes: 679009 679422 679445 679497 679670 680110
Changes:
nova (2012.1.1-2) unstable; urgency=high
.
* Fixes CVE-2012-3360, CVE-2012-3361 (Closes: #680110).
* Debconf translation updates with thanks to:
- cs.po Michal Simunek <michal.simunek@gmail.com> (Closes: #679670).
- pt.po Miguel Figueiredo <elmig@debianpt.org> (Closes: #679497).
- sk.po helix84 <helix84@centrum.sk> (Closes: #679445).
- fr.po Julien Patriarca <patriarcaj@gmail.com> (Closes: #679422).
- sv.po Martin Bagge <brother@bsnet.se> (Closes: #679009).
Checksums-Sha1:
5dd9637e7918990abd72af6f69d639443739e4e1 3047 nova_2012.1.1-2.dsc
441dfd71e75897771f50889c9535c0540d40e888 50818 nova_2012.1.1-2.debian.tar.gz
1bb8ea870dfbfeaa87076406380096076a063d28 1776378 python-nova_2012.1.1-2_all.deb
909657915e0b77a1f16b7b36fbfebbb6646708ff 39292 nova-common_2012.1.1-2_all.deb
eab516f752fdb941f21adfa4de6b1a9887db0894 16178 nova-compute_2012.1.1-2_all.deb
6d977ec657853cdc37c910e276f6c9f7b5ef876f 11422 nova-compute-lxc_2012.1.1-2_all.deb
99c005d48bd59e6307767517a052faa1af2bd113 11440 nova-compute-uml_2012.1.1-2_all.deb
6e8f5bcb1ba28404bb0730e6cfabe4e384ae52dd 13880 nova-compute-xen_2012.1.1-2_all.deb
dbb11a970e831b82ca1db31e7d43db8d3d6aa166 11340 nova-compute-qemu_2012.1.1-2_all.deb
38aac9c763f347f673a13c4527ede20d981fe1ec 11426 nova-compute-kvm_2012.1.1-2_all.deb
a1279ff8d23003bb93d8593301136bf228b39fbd 13926 nova-scheduler_2012.1.1-2_all.deb
55bf6f280f88592cbfb112e59520da0ef938d8f4 14820 nova-volume_2012.1.1-2_all.deb
5204cfac41bf91518e4f80c7996920bc862e50fd 13820 nova-api_2012.1.1-2_all.deb
35c85f6602e91558d10cb59a237be19e6ac50ed9 16676 nova-network_2012.1.1-2_all.deb
a429702fdc850477e4563ca30fec1530f09db165 14032 nova-objectstore_2012.1.1-2_all.deb
5da228e7f7d339339d15edcd082f6448a620fb84 14522 nova-console_2012.1.1-2_all.deb
6539904e58025172b80a561b3c3f422a09ca1f8b 13890 nova-cert_2012.1.1-2_all.deb
815424c413baaba3efa30d9b69ac95252ee47b1a 33906 nova-xcp-plugins_2012.1.1-2_all.deb
58818e5e548d23067461b6bfcbb84b5e5fabda4e 18530 nova-xcp-network_2012.1.1-2_all.deb
29e8809bf8cde814d08f27fdd4b62f79c1c4c751 1710196 nova-doc_2012.1.1-2_all.deb
8ddaff3ab9299335f62e7516e2356d6aae312183 13804 nova-xvpvncproxy_2012.1.1-2_all.deb
e8533583100df0da1faab6bfe73fc27e7bd8b2ff 13716 nova-api-metadata_2012.1.1-2_all.deb
74ef667f27e5efb0825f37aaf4ea2f9c4cafce3a 13720 nova-api-os-compute_2012.1.1-2_all.deb
013ef21f4c7d1cbc85fbdfd76175d20c60f49312 13730 nova-api-os-volume_2012.1.1-2_all.deb
54fdf0859dd4114b2fddf018724bc334e6914215 13690 nova-api-ec2_2012.1.1-2_all.deb
Checksums-Sha256:
bf9508fa08f58f2907cb87605bee11c380bafc4e9dda1642e744dc7c64a578f7 3047 nova_2012.1.1-2.dsc
ac8b62c21a28222c8d3af8d9f80752c707d92f6c57e4a5bef9bfc6f314386713 50818 nova_2012.1.1-2.debian.tar.gz
85383a4e8714bde8450481d9fd07afeb29c263557655a33a219e519720f0c937 1776378 python-nova_2012.1.1-2_all.deb
b9667e2dc7982189dab59f7b259cb0421893cff3996519f03736db584394d888 39292 nova-common_2012.1.1-2_all.deb
4445144464327cec2e77be1d3aeb27948bac51c48699b7e9cb3e434309abecd6 16178 nova-compute_2012.1.1-2_all.deb
a747025936a9519bc3777ea846b7406420a7d343099a2dfa789e58d7d5537fdc 11422 nova-compute-lxc_2012.1.1-2_all.deb
e55d387220c5944ac70ac8f4620407eaae5b74ae01925780adea6c3f826d31ad 11440 nova-compute-uml_2012.1.1-2_all.deb
502b81948c6c1051894c4be2538408449cfef51f8a6e472aeb61962ab14a02cb 13880 nova-compute-xen_2012.1.1-2_all.deb
798d139b161bd2eeedf45813d433ab049a99c51dea12aa28dfb2328583ea2b8e 11340 nova-compute-qemu_2012.1.1-2_all.deb
b31783bd1804eb8435545b7a5e9ba0ee1de6738f5829f5ae91459f4ec5a04458 11426 nova-compute-kvm_2012.1.1-2_all.deb
7f082df3a4848d8aba0f73aaa9d5976a3fbcfcc888aa18f8796c81638d8cfa4a 13926 nova-scheduler_2012.1.1-2_all.deb
f6f42639ff4b58dd214677866a7cd2d0ee399f3c7a890b2222f7ae5a60ce94ec 14820 nova-volume_2012.1.1-2_all.deb
8023ff0bfdd3a029377fb496d1bcde07a384783d2a64133117e76f654a4df1c1 13820 nova-api_2012.1.1-2_all.deb
b8d87c5b54cf557762a37a47de9df193497505e02b47b4735aa10f20c7ade5e9 16676 nova-network_2012.1.1-2_all.deb
7a1e8a69e8cd7fdf5d2141598993e5f4f2ac7c430237331ae05062c27fe7f09d 14032 nova-objectstore_2012.1.1-2_all.deb
b81c5ec0fabd614fdd3e53df185fd5d3f557e9491e8637d50f9a9569861f497a 14522 nova-console_2012.1.1-2_all.deb
a754fb9c1ea43a7864565ffcc882ca5f0b352c5fce3cbd45a466331312235ba5 13890 nova-cert_2012.1.1-2_all.deb
ee0f38d26ddc426b9ca49b8132903cb577633befe75cb9e21573fe2ce91eb4f5 33906 nova-xcp-plugins_2012.1.1-2_all.deb
6cf326402410c4b75008d7271f9ffb4bdf5da7025889cd79a690b9c287a4835b 18530 nova-xcp-network_2012.1.1-2_all.deb
398f6661777580986ef716d77824ae5074ad0cc88e2394395c3fef76c2385dcb 1710196 nova-doc_2012.1.1-2_all.deb
72fd508ea1eb95f789887b8561cc7633d5b0f001e36cba999b659af910e93b9e 13804 nova-xvpvncproxy_2012.1.1-2_all.deb
1dbb52e1e1f1275265ae3fe211d6f3aa158d330e666a32635df356db3600c3a4 13716 nova-api-metadata_2012.1.1-2_all.deb
2beef7cefdf7d0702415d539079beda96aa643971e2799e357be5b40076386a0 13720 nova-api-os-compute_2012.1.1-2_all.deb
b1994c4908063c1b330f8db88e0f3187aa12b60ce71bb0fd75c2c5888f7ed01e 13730 nova-api-os-volume_2012.1.1-2_all.deb
4463a7c6f568977a9419eb3552a9c44bf549b8df843119b6d0e83ea9df6ce3de 13690 nova-api-ec2_2012.1.1-2_all.deb
Files:
ff6bebd2d48500fe0ac0eb267d1cbb0a 3047 net extra nova_2012.1.1-2.dsc
75ee07a9b33950d9159d3c310f969ab7 50818 net extra nova_2012.1.1-2.debian.tar.gz
63a30f5cd421e76d1cfeb908ff591776 1776378 python extra python-nova_2012.1.1-2_all.deb
073b69288f0434853b54cad87a576746 39292 net extra nova-common_2012.1.1-2_all.deb
7dfc93df8872380f2af8810c5a4d8fb7 16178 net extra nova-compute_2012.1.1-2_all.deb
3b0aeaf3491c10c7657500df2a5e6176 11422 net extra nova-compute-lxc_2012.1.1-2_all.deb
2f8acb4a84d704f06d04a54414e31395 11440 net extra nova-compute-uml_2012.1.1-2_all.deb
387544f3d5e08891900d2a520a88ccae 13880 net extra nova-compute-xen_2012.1.1-2_all.deb
9a08aff2f715c661f43a4bce33a82970 11340 net extra nova-compute-qemu_2012.1.1-2_all.deb
f34556e8b4d0a4177366f1d1b468f7fd 11426 net extra nova-compute-kvm_2012.1.1-2_all.deb
b013fd80f4e10d0e866c28bf8fbc9575 13926 net extra nova-scheduler_2012.1.1-2_all.deb
7f42f6e2557060ce674d3e0b5b9532e7 14820 net extra nova-volume_2012.1.1-2_all.deb
ec184e49b56d599db96ffc1620bb834e 13820 net extra nova-api_2012.1.1-2_all.deb
f4bf543cec34bb25bb1b5490ecef147f 16676 net extra nova-network_2012.1.1-2_all.deb
5e9a6ead4cf34fabe448e23e10fac517 14032 net extra nova-objectstore_2012.1.1-2_all.deb
035bad580c5b27990efac0dd72aa1431 14522 net extra nova-console_2012.1.1-2_all.deb
cf8bb736f9e4ea0e5a1ed58b66644e32 13890 net extra nova-cert_2012.1.1-2_all.deb
80aec7dde339b3aee9a26932a9c46f56 33906 net extra nova-xcp-plugins_2012.1.1-2_all.deb
c305e708c69d65cf34e8641182a33ea5 18530 net extra nova-xcp-network_2012.1.1-2_all.deb
0deeecf89557cff55b3cb2b0eb50295b 1710196 doc extra nova-doc_2012.1.1-2_all.deb
4bef3ffe4fa5fb13822cf3bd2cd3f7f4 13804 net extra nova-xvpvncproxy_2012.1.1-2_all.deb
33febbe7fe3012b5b777152045b3aa02 13716 net extra nova-api-metadata_2012.1.1-2_all.deb
b525ed259bf7e07ef51455a5215035bf 13720 net extra nova-api-os-compute_2012.1.1-2_all.deb
f16a3012ebe1fb503b6fa18ee442f91b 13730 net extra nova-api-os-volume_2012.1.1-2_all.deb
4edf396b69475bac2bd8692c72e3b858 13690 net extra nova-api-ec2_2012.1.1-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/zSpwACgkQl4M9yZjvmknsDQCgnyRp14RBRmo7uBbjNckE67wm
TdkAoKgA7garqO07F04/DjIZjIOPWISW
=jlO2
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 26 Oct 2012 07:25:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:03:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.