From ${URL}: A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Glance import task leaks image in backend Reporter: Abhishek Kekane (NTT) Products: Glance Affects: 2014.2 versions through 2014.2.2 Description: Abhishek Kekane from NTT reported a vulnerability in the Glance import task. By creating numerous images using the task API and deleting them, an authenticated attacker may accumulate untracked image data in the backend resulting in potential resource exhaustion and denial of service. All glance setups using API v2 are affected. References: https://launchpad.net/bugs/1420696 https://launchpad.net/bugs/1422716 Thanks in advance, ## @maintainers: since this package has not been stabilized, please remove the vulnerable packages after bump.
fixed in 2014.2.2-r1 no vuln versions in tree
CVE-2015-1881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1881): OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684. CVE-2014-9684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9684): OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.
