yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

Jin Liu reported that OSSA-2014-041 (CVE-2014-9493) only fixed the
vulnerability for swift: and file: URI, but overlooked filesystem: URIs.

Please see bug 1400966 for historical reference.

** Affects: glance
     Importance: Critical
         Status: In Progress

** Affects: glance/icehouse
     Importance: Critical
         Status: Confirmed

** Affects: glance/juno
     Importance: Critical
         Status: Confirmed

** Affects: ossa
     Importance: Critical
         Status: Confirmed

** Also affects: glance
   Importance: Undecided
       Status: New

** Information type changed from Public to Public Security

** Also affects: glance/icehouse
   Importance: Undecided
       Status: New

** Also affects: glance/juno
   Importance: Undecided
       Status: New

** Changed in: ossa
   Importance: Undecided => Critical

** Changed in: ossa
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1408663

Title:
  Glance still allows users to download and delete any file in glance-
  api server

Status in OpenStack Image Registry and Delivery Service (Glance):
  In Progress
Status in Glance icehouse series:
  Confirmed
Status in Glance juno series:
  Confirmed
Status in OpenStack Security Advisories:
  Confirmed

Bug description:
  Jin Liu reported that OSSA-2014-041 (CVE-2014-9493) only fixed the
  vulnerability for swift: and file: URI, but overlooked filesystem:
  URIs.

  Please see bug 1400966 for historical reference.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1408663/+subscriptions