yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1408663] Re: [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1408663@xxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Mar 2015 00:58:56 -0000
Reply-to: Bug 1408663 <1408663@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: glance/icehouse
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1408663

Title:
  [OSSA-2015-002] Glance still allows users to download and delete any
  file in glance-api server (CVE-2015-1195)

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance icehouse series:
  Fix Released
Status in Glance juno series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Jin Liu reported that OSSA-2014-041 (CVE-2014-9493) only fixed the
  vulnerability for swift: and file: URI, but overlooked filesystem:
  URIs.

  Please see bug 1400966 for historical reference.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1408663/+subscriptions

References

[Bug 1408663] [NEW] Glance still allows users to download and delete any file in glance-api server
From: Thierry Carrez, 2015-01-08