from ${URL}: A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. """ Title: Glance image_download policy not enforced for cached images Reporter: Stuart McLaren (HP) Products: Glance Affects: Folsom, Grizzly Description: Stuart McLaren from HP reported a vulnerability in Glance download_image policy enforcement in the case of cached images. Deployers may opt to set a download_image policy to restrict image download to specific roles. However, when an image is previously cached by an authorized download, any authenticated user could download image contents if it can determine the image UUID, bypassing any download_image policy restrictions. This could result in disclosure of image contents that were thought to be protected by the download_image policy setting. Only setups making use of the download_image policy are affected. """ References: https://bugs.launchpad.net/glance/+bug/1235378 Thanks in advance, - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team
grizzly fixed, but the next folsom release should be out soon.
CVE-2013-4428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4428): OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the image_download policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.
folsom removed from tree, should be good to close now.
