From ${URL} : Jeremy Stanley <jeremy@openstack.org> reports: Title: Cinder LVM volume driver does not support secure deletion Reporter: Rongze Zhu (UnitedStack) Products: Cinder Affects: 2013.1 (Grizzly) and later Description: Rongze Zhu from UnitedStack reported a vulnerability in the Cinder LVM volume driver. The contents of LVM snapshots may not be cleared upon deletion even when secure deletes are configured, resulting in potential exposure of latent data to subsequent servers for other tenants. Only setups using LVMVolumeDriver are affected. Havana (development branch) fix: https://review.openstack.org/36506 Grizzly fix: https://review.openstack.org/39565 Notes: This fix is included in the havana-2 development milestone and will appear in a future 2013.1.3 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4183 https://bugs.launchpad.net/nova/+bug/1198185 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
cinder has been updated to 2013.1.3, all bad versions removed from tree, please close.
I'm removing myself as I see this as closable, re-add me if you don't think so.
CVE-2013-4183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4183): The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors.