Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <50C780D5.6040902@openstack.org>
Date: Tue, 11 Dec 2012 19:52:05 +0100
From: Thierry Carrez <thierry@...nstack.org>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, 
 oss-security@...ts.openwall.com, openstack-announce@...ts.openstack.org
Subject: [OSSA 2012-020] Information leak in libvirt LVM-backed instances
 (CVE-2012-5625)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2012-020
CVE: CVE-2012-5625
Date: December 11, 2012
Title: Information leak in libvirt LVM-backed instances
Reporter: Eric Windisch (Cloudscaling)
Products: Nova
Affects: Folsom, Grizzly

Description:
Eric Windisch from Cloudscaling reported a vulnerability in libvirt
LVM-backed instances. The physical volume content was not wiped out
before being reallocated and passed to an instance, which may result in
the disclosure of information from previously-allocated logical volumes.
Only setups using libvirt and LVM-backed instances
(libvirt_images_type=lvm) are affected.

Grizzly (development branch) fix:
http://github.com/openstack/nova/commit/9d2ea970422591f8cdc394001be9a2deca499a5f

Folsom fix (included in upcoming Nova 2012.2.2 stable update):
http://github.com/openstack/nova/commit/a99a802e008eed18e39fc1d98170edc495cbd354

References:
https://bugs.launchpad.net/nova/+bug/1070539
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5625

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJQx4DRAAoJEFB6+JAlsQQj5sEP/2osrfWvooWEeQbhnHGIp7yg
GRR1BdPqqnBqBT4lzXp1B6O23l4LqSjKVC1X3r3zs2VqUcsZwTiJJz3FmPFlr0xZ
5BSSrg4GWo+If0atGqsWwOabTzuOZqCoFe16uXghtBwjmceZBjUOhra4mfnW+VtO
xVc9eXiREEnxkHFHVPVuNnAxdxgoYin8Nw0NaOs+uZ9ehTjv2h0/81FNGNy3Rw5Y
TPJOq3YFrneAK5GEL/srhV+3V6LnRKXqlPIhFbw5wqO+WlHZWOHnayL/hQZaivdF
gYiuaTkwU2d6yKbasy+q9flreylZbtllcj1p3IGvoAFbTSA3u2l3AeElqnx6D+ak
ULxIpLQGlBzabiUDLpSe+9t/gv7bY7qcf+Ec1u6DsgRpN/GhHHwBKykzoQwvTPS/
Of+CfmJj39NJarepUHMO7GMVUu/BYkQm4EnfPAnP8X8Gz5/0xJjo2ue7vnx8yuxC
M7CPxWx3pZanC98n1omF5GvRlcdWECmbcP7NYynXhrROOw8mgXAs+Eh77mD94flk
iZULo5fOJDShCVY+LmekzHix9WNRQSWxceAMYHrlNLo/H4zN5DWo063xgxYlSuNI
+jfJ6DtqePjjG+c9tDcpVG9/OMxpyN8CKoWDSVWwdkTega3a7e1AAf9xEj0jT1jd
OC2iQxz1crzjL1CV9z3J
=CE4b
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.