Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 482144 (CVE-2013-4278)

Summary: <sys-cluster/nova-{2012.2.4-r8,2013.1.3-r5} : private flavors resource limit circumvention incomplete fix for CVE-2013-2256
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-08-22 20:21:40 UTC
From ${URL} :

Vincent Danen ( reports:

The previous fix was insufficient and did not fully fix the flaw, as noted here:

The patch to fully correct this flaw is here (I believe it would be in addition to 
previously-mentioned patches):

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-09-12 06:56:15 UTC
fixed in 2012.2.4-r8 and 2013.1.3-r5  badness removed

removing myself from cc
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-09-17 22:34:38 UTC
CVE-2013-4278 (
  The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly,
  and Havana does not properly enforce the os-flavor-access:is_public
  property, which allows remote authenticated users to boot arbitrary flavors
  by guessing the flavor id.  NOTE: this issue is due to an incomplete fix for