Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 482144 (CVE-2013-4278) - <sys-cluster/nova-{2012.2.4-r8,2013.1.3-r5} : private flavors resource limit circumvention incomplete fix for CVE-2013-2256
Summary: <sys-cluster/nova-{2012.2.4-r8,2013.1.3-r5} : private flavors resource limit ...
Alias: CVE-2013-4278
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2013-08-22 20:21 UTC by Agostino Sarubbo
Modified: 2013-09-17 22:34 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-22 20:21:40 UTC
From ${URL} :

Vincent Danen ( reports:

The previous fix was insufficient and did not fully fix the flaw, as noted here:

The patch to fully correct this flaw is here (I believe it would be in addition to 
previously-mentioned patches):

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-09-12 06:56:15 UTC
fixed in 2012.2.4-r8 and 2013.1.3-r5  badness removed

removing myself from cc
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-09-17 22:34:38 UTC
CVE-2013-4278 (
  The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly,
  and Havana does not properly enforce the os-flavor-access:is_public
  property, which allows remote authenticated users to boot arbitrary flavors
  by guessing the flavor id.  NOTE: this issue is due to an incomplete fix for