Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 559376 (CVE-2015-3280) - <sys-cluster/nova-2015.1.1-r3 - Nova may fail to delete images in resize state (CVE-2015-3280)
Summary: <sys-cluster/nova-2015.1.1-r3 - Nova may fail to delete images in resize stat...
Status: RESOLVED FIXED
Alias: CVE-2015-3280
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/nova/+bug/...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-02 03:21 UTC by Matthew Thode ( prometheanfire )
Modified: 2016-02-25 08:43 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-02 03:21:15 UTC
Title: Nova may fail to delete images in resize state
Reporter: George Shuklin (Webzilla LTD) and
          Tushar Patil (NTT DATA, Inc)
Products: Nova
Affects: 2014.2 versions through 2014.2.3, and
         2015.1 versions through 2015.1.1

Description:
George Shuklin from Webzilla LTD and Tushar Patil from NTT DATA, Inc
independently reported a vulnerability in Nova resize state. If an
authenticated user deletes an instance while it is in resize state,
it will cause the original instance to not be deleted from the
compute node it was running on. An attacker can use this to launch a
denial of service attack. All Nova setups are affected.

Reproducible: Always
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-02 03:23:23 UTC
arches, please stabilize the following

=sys-cluster/nova-2015.1.1-r3
Comment 2 Agostino Sarubbo gentoo-dev 2015-09-03 08:24:34 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-09-03 08:26:15 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-03 14:28:56 UTC
cleaned up
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 03:16:50 UTC
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).