Title: Glance v2 API host file disclosure through qcow2 backing file Reporter: Eric Harney (Red Hat) Products: Glance Affects: 2015.1.0 versions through 2015.1.1 Description: Eric Harney from Red Hat reported a vulnerability in Glance. By importing a qcow2 image with a malicious backing file, an authenticated user may mislead Glance import task action, resulting in the disclosure of any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.
2015.1.1 has been out a while already and the patch doesn't backport cleanly, please stabilize =app-admin/glance-2015.1.1-r1.
Arches, please test and mark stable: =app-admin/glance-2015.1.1-r1 Target Keywords : "amd64 x86" Thank you!
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No
(In reply to Yury German from comment #5) > GLSA Vote: No GLSA Vote: No