openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #20517
[OSSA 2013-002] Backend password leak in Glance error message (CVE-2013-0212)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
OpenStack Security Advisory: 2013-002
CVE: CVE-2013-0212
Date: January 29, 2013
Title: Backend password leak in Glance error message
Reporter: Dan Prince (Red Hat)
Products: Glance
Affects: All versions
Dan Prince of Red Hat discovered an issue in Glance error reporting. By
creating an image in Glance by URL that references a mis-configured
Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image
references for any reason becomes unusable, an authenticated user may
access the Glance operator's Swift credentials for that endpoint. Only
setups that use the single-tenant Swift store are affected.
Grizzly (development branch) fix:
http://github.com/openstack/glance/commit/e96273112b5b5da58d970796b7cfce04c5030a89
Folsom fix (included in upcoming Glance 2012.2.3 stable update):
http://github.com/openstack/glance/commit/96a470be64adcef97f235ca96ed3c59ed954a4c1
Essex fix:
http://github.com/openstack/glance/commit/37d4d96bf88c2bf3e7e9511b5e321cf4bed364b7
References:
https://bugs.launchpad.net/glance/+bug/1098962
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0212
- --
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCAAGBQJRCCvqAAoJEFB6+JAlsQQj9scP/1bQzhQ5lA/jNoPIPMlUKOr4
NlrT9+QA6pF3xOjTQeyViTTUfMn1YHdOTS8bi/NeSlL3UuEhpdCb59APwqmZva3u
Tx+so6L3nc5qNRdDAAr6oNBYmD08T41ceLpzjv9BbTgPxD4gUCg9WeySBAa+I7MU
1w1hvhObhQWZ8Xvqf/2tKTrMpGuJOS/0aoMSQUMqFR47moyYgBznNT6J3FaC3haE
jRh4RSv7XKN2MU0Cv05m/txXNUTP6rtl+qAiGW9UZvhTHY/kafaJLi/HuGkmANf0
fkuoKL5VxFYoIbHDlJ+ymPUz/jgoZJNkvvmS5mQH7YFBdgAvzAIAYJ4jk8uOMMmo
AHqaVdfZYCWRP6pMDzjnU5EGhRrgt2RafWsnU8MyYePrF3G8dcikvQlIki+PlmPT
+zXjPoIsirFJh3XSTRNbUDwIww6AuBbhxgJD78NhQY/12MC5zELOasWcpTKPyvLs
HTIe8AbVLf5Z0blZdUZHGlzFBQlgPU3ydIjY1UStWPYNCQs2hTrtoq9y68LmDzix
jRQ3jmKhMGsLwlrcskSyD/1qGGD6NNPRJwME7pXspy7mBlN0LS9OLRwhYHTzNGwx
YTSKhy12xooqYkaJncZEduTBKwMJLMwk/HZxD7KRuKPM7xoK64mkyz/03rUsQORj
na6Kqw9rcPfJG0jfh3/c
=PyUp
-----END PGP SIGNATURE-----