| Summary: | <app-admin/glance-12.0.0: Use of MD5 in OpenStack Glance image signature | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/11/17/17 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
The patch from upstream is present in 12.0.0, but is not in 11.0.1. Please clean the tree of 11.0.1-r1 as 12.0.0 is already stable. Upstream commit: https://git.openstack.org/cgit/openstack/glance/commit/?id=09a0acefc7d27b85e7145611a3852bcf0765f769 cleaned up a while ago and forgot to mention it here cleaned up, removing self from cc GLSA Vote: No |
From ${URL}: A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Use of MD5 in OpenStack Glance image signature Reporter: Daniel P. Berrange (Red Hat) Products: Glance Affects: =11.0.0 Description: Daniel P. Berrange from Red Hat reported a vulnerability in Glance image signature. Glance computes cryptographic signature using MD5 hash of the image. By crafting a malicious image that produces a MD5 collision, a Glance backend operator may subvert the signature verification process, resulting in a corrupted image. All Glance setups are affected. References: https://launchpad.net/bugs/1516031 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team