Title: Glance storage overrun Reporter: Mike Fedosin and Alexei Galkin (Mirantis) Products: Glance Affects: <=2014.2.3, >=2015.1.0, <=2015.1.1 Description: Mike Fedosin and Alexei Galkin from Mirantis reported a vulnerability in Glance. By deleting images that are being uploaded using a token that is about to expire, a malicious user can overcome the storage quota and accumulate untracked image data in the backend resulting in potential resource exhaustion and denial of service. All Glance setups using the V1 API are affected and all setups using the V2 API with the registry db_api enabled are affected. Reproducible: Always
arches, please stabilize the following for amd64 and x86 =app-admin/glance-2015.1.1-r3
amd64 stable
x86 stable. Maintainer(s), please cleanup.
cleaned up
Why is nearly every package in the portage tree infected by this vulnerability --- I just did egencache --repo gentoo --update-changelogs perhaps not related to this bug but a portage tree in git failure ...
Tree cleaned commit 1d56fda8ae8dbf384176751bb5f0530cc7b48aee Author: Justin Lecher <jlec@gentoo.org> Date: Fri Oct 30 13:50:51 2015 +0100 app-admin/glance: Clean vulnerable version Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=562156 Package-Manager: portage-2.2.23 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d56fda8ae8dbf384176751bb5f0530cc7b48aee
The new version of glance is 11.x.y the old naming scheme was date based. don't remove new versions of software.
GLSA Vote: No
Vote: NO.