[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [OSSA 2014-028] Glance store DoS through disk space exhaustion (CVE-2014-5356)
From: Tristan Cacqueray <tristan.cacqueray () enovance ! com>
Date: 2014-08-21 14:09:20
Message-ID: 53F5FD90.7070107 () enovance ! com
[Download RAW message or body]
OpenStack Security Advisory: 2014-028
CVE: CVE-2014-5356
Date: August 21, 2014
Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2
Description:
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a
vulnerability in Glance. By uploading a large enough image to a Glance
store, an authenticated user may fill the store space because the
image_size_cap configuration option is not honored. This may prevent
further image upload and/or cause service disruption. Note that the
import method is not affected. All Glance setups using API v2 are
affected (unless you use a policy to restrict/disable image upload).
Juno (development branch) fix:
https://review.openstack.org/91764
Icehouse fix:
https://review.openstack.org/115280
Havana fix:
https://review.openstack.org/115289
Notes:
This fix will be included in the Juno-3 development milestone and in
future 2013.2.4 and 2014.1.3 releases.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5356
https://launchpad.net/bugs/1315321
--
Tristan Cacqueray
OpenStack Vulnerability Management Team
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic