← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1408663] Re: [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)

 

** Changed in: glance
       Status: Fix Committed => Fix Released

** Changed in: glance
    Milestone: None => kilo-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1408663

Title:
  [OSSA-2015-002] Glance still allows users to download and delete any
  file in glance-api server (CVE-2015-1195)

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance icehouse series:
  Fix Committed
Status in Glance juno series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Jin Liu reported that OSSA-2014-041 (CVE-2014-9493) only fixed the
  vulnerability for swift: and file: URI, but overlooked filesystem:
  URIs.

  Please see bug 1400966 for historical reference.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1408663/+subscriptions


References