Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 461760 (CVE-2013-1840) - <app-admin/glance-2012.2.3-r1: Backend credentials leak in Glance v1 API (CVE-2013-1840)
Summary: <app-admin/glance-2012.2.3-r1: Backend credentials leak in Glance v1 API (CVE...
Status: RESOLVED FIXED
Alias: CVE-2013-1840
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-14 20:17 UTC by Agostino Sarubbo
Modified: 2013-03-14 21:53 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-14 20:17:28 UTC
From ${URL} :

Thierry Carrez (thierry@openstack.org) reports:

Title: Backend credentials leak in Glance v1 API
Reporter: Stuart McLaren (HP)
Products: Glance
Affects: All versions

Description:
Stuart McLaren from HP reported a vulnerability in the information
potentially returned to the user in Glance v1 API. If an authenticated
user requests, through the v1 API, an image that is already cached, the
headers returned may disclose the Glance operator's backend credentials
for that endpoint. Only setups accepting the Glance v1 API and using
either the single-tenant Swift store or S3 store are affected.

Proposed patches:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to Glance master (Grizzly), stable/folsom, and
stable/essex branches on the public disclosure date.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-03-14 21:07:53 UTC
fixed in =app-admin/glance-2012.2.3-r1

glance-2012.2.3 was removed
Comment 3 Sean Amoss gentoo-dev Security 2013-03-14 21:53:49 UTC
Thanks, Matthew. 

Closing noglsa for ~arch only.