You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa openstack-glance

Sigurnosni nedostaci programskog paketa openstack-glance

——————————————————————————–
Fedora Update Notification
FEDORA-2014-5198
2014-04-15 12:16:42
——————————————————————————–

Name : openstack-glance
Product : Fedora 20
Version : 2013.2.3
Release : 3.fc20
URL : http://glance.openstack.org
Summary : OpenStack Image Service
Description :
OpenStack Image Service (code-named Glance) provides discovery, registration,
and delivery services for virtual disk images. The Image Service API server
provides a standard REST interface for querying information about virtual disk
images stored in a variety of back-end stores, including OpenStack Object
Storage. Clients can register new virtual disk images with the Image Service,
query for information on publicly available disk images, and use the Image
Service’s client library for streaming virtual disk images.

This package contains the API and registry servers.

——————————————————————————–
Update Information:

OpenStack Security Advisory: 2014-012
CVE: CVE-2014-0162
Date: April 10, 2014
Title: Remote code execution in Glance Sheepdog backend
Reporter: Paul McMillan (Nebula)
Products: Glance
Versions: from 2013.2 to 2013.2.3

Description:
Paul McMillan from Nebula reported a vulnerability in Glance Sheepdog
backend. By using a specially crafted location, a user allowed to insert
or modify Glance image metadata may trigger code execution on the Glance
host as the user the Glance service runs under. This may result in
Glance host unauthorized access and further compromise of the Glance
service. All setups using Glance server with the (enabled by default)
sheepdog backend are affected.

Juno (development branch) fix:
https://review.openstack.org/86622

Icehouse (milestone-proposed branch) fix:
https://review.openstack.org/86625

Havana fix:
https://review.openstack.org/86626

Notes:
This fix will be included in the icehouse-rc2 development milestone and
in a future 2013.2.4 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0162
https://launchpad.net/bugs/1298698
– Latest havana upstream
Rebases from latest stable havana and pulls in the fix for the security issue listed in the bugs field.
——————————————————————————–
ChangeLog:

* Mon Apr 14 2014 Flavio Percoco <flavio@redhat.com> – 2013.2.3-3
– CVE-2014-0162
* Thu Apr 10 2014 Pádraig Brady <pbrady@redhat.com> – 2013.2.3-2
– Update to Havana stable release 2013.2.3
* Fri Feb 14 2014 Flavio Percoco <flavio@redhat.com> 2013.2.2-1
– Update to Havana stable release 2013.2.2
* Wed Dec 18 2013 Pádraig Brady <pbrady@redhat.com> 2013.2.1-1
– Update to Havana stable release 2013.2.1
* Fri Oct 25 2013 Flavio Percoco <flavio@redhat.com> 2013.2-2
– Fixes #956815
——————————————————————————–
References:

[ 1 ] Bug #1085163 – CVE-2014-0162 openstack-glance: remote code execution in Glance Sheepdog backend
https://bugzilla.redhat.com/show_bug.cgi?id=1085163
[ 2 ] Bug #1064589 – CVE-2014-1948 openstack-glance: Glance Swift store backend password leak
https://bugzilla.redhat.com/show_bug.cgi?id=1064589
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update openstack-glance’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Top
More in Preporuke
Sigurnosni nedostaci jezgre operacijskog sustava

Otkriveni su sigurnosni nedostaci u jezgri operacijskog sustava linux. Otkriveni nedostaci potencijalnim napadačima omogućuju izvođenje napada uskraćivanjem usluge i stjecanje...

Close