From ${URL}: A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Use of MD5 in OpenStack Glance image signature Reporter: Daniel P. Berrange (Red Hat) Products: Glance Affects: =11.0.0 Description: Daniel P. Berrange from Red Hat reported a vulnerability in Glance image signature. Glance computes cryptographic signature using MD5 hash of the image. By crafting a malicious image that produces a MD5 collision, a Glance backend operator may subvert the signature verification process, resulting in a corrupted image. All Glance setups are affected. References: https://launchpad.net/bugs/1516031 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team
The patch from upstream is present in 12.0.0, but is not in 11.0.1. Please clean the tree of 11.0.1-r1 as 12.0.0 is already stable. Upstream commit: https://git.openstack.org/cgit/openstack/glance/commit/?id=09a0acefc7d27b85e7145611a3852bcf0765f769
cleaned up a while ago and forgot to mention it here cleaned up, removing self from cc
GLSA Vote: No
