yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1065187] Re: [OSSA-2012-017] Non-admin users can cause public glance images to be deleted from the backend storage repository

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 07 Jun 2013 15:30:16 -0000
Reply-to: Bug 1065187 <1065187@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Summary changed:

- Non-admin users can cause public glance images to be deleted from the backend storage repository
+ [OSSA-2012-017] Non-admin users can cause public glance images to be deleted from the backend storage repository

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Russell Bryant (russellb)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1065187

Title:
  [OSSA-2012-017] Non-admin users can cause public glance images to be
  deleted

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance essex series:
  Fix Committed
Status in Glance folsom series:
  Fix Released
Status in Glance grizzly series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in “glance” package in Ubuntu:
  Fix Released
Status in “glance” source package in Quantal:
  Fix Released

Bug description:
  Given a public, non-protected image, a non-admin user can issue a
  delete against that image which may delete the image from the backend
  storage repository.  The client will get a 403 unauthorized response,
  but the backend delete method is called prior to checking for those
  permissions on the glance registry.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1065187/+subscriptions