yahoo-eng-team team mailing list archive

[Luke Hinds <lhinds@xxxxxxxxxx>]

** Changed in: ossn
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1606495

Title:
  copy_from in api v1 allows network port scan

Status in Glance:
  New
Status in OpenStack Security Advisory:
  Opinion
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.


  copy_from allows to create Images with an url like http://localhost:22
  The remote content gets copied unverified in the defined glance store.

  E.g. after downloading the image with copy_from url
  http://localhost:22, you see the OpenSSH banner.

  This is a security issue, as it allows users to do network "scans" for
  open ports and it copies remote (potentially malicious) content
  unverified to your configured glance store.

  glance api v1 is still the default in horizon.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1606495/+subscriptions