Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 501156 (CVE-2014-1948)

Summary: <app-admin/glance-2013.2.1-r1 : Store Backend Credentials Disclosure Weakness (CVE-2014-1948) [OSSA 2014-004]
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: prometheanfire
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/56419/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-02-13 08:29:55 UTC
From ${URL} :

Description

A weakness has been reported in OpenStack Glance, which can be exploited by malicious, local users to 
disclose certain sensitive information.

The weakness is caused due to the application logging store backend credentials when handling 
authentication errors and can be exploited to e.g. disclose the credentials.

NOTE: The weakness affects only Glance setups using the Swift store backend.

The weakness is reported in version 2013.2 (Havana).


Solution:
Fixed in the source code repository.

Provided and/or discovered by:
Nikhil Komawar, Rackspace within a Launchpad bug report.

Original Advisory:
OpenStack:
https://review.openstack.org/#/c/71419/

Nikhil Komawar:
https://bugs.launchpad.net/glance/+bug/1275062


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-13 08:31:05 UTC
fixed in 2013.2.1-r1 kthnxbai
Comment 2 Agostino Sarubbo gentoo-dev 2014-02-13 19:32:18 UTC
closing as noglsa