Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <525D8FF9.1090304@openstack.org>
Date: Tue, 15 Oct 2013 20:56:57 +0200
From: Thierry Carrez <thierry@...nstack.org>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: CVE request for a vulnerability in OpenStack Glance

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public,
although an advisory was not sent yet.

"""
Title: Glance image_download policy not enforced for cached images
Reporter: Stuart McLaren (HP)
Products: Glance
Affects: Folsom, Grizzly

Description:
Stuart McLaren from HP reported a vulnerability in Glance download_image
policy enforcement in the case of cached images. Deployers may opt to
set a download_image policy to restrict image download to specific
roles. However, when an image is previously cached by an authorized
download, any authenticated user could download image contents if it can
determine the image UUID, bypassing any download_image policy
restrictions. This could result in disclosure of image contents that
were thought to be protected by the download_image policy setting. Only
setups making use of the download_image policy are affected.
"""

References:
https://bugs.launchpad.net/glance/+bug/1235378

Thanks in advance,

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSXY/1AAoJEFB6+JAlsQQjzaQQAMA8y6U5MocsXSLbIduRruEl
eu30WiUlpZFtrbHvsdxDuZdm0qH55cIAFLEnsvhtqcLCVMQz78/dYfNbH35awywc
sT4t9kSuK05Ahx9j9J9GLO0Pw2krZP69ht3UphwrlbwyrbC9i1AwIhB8I1+BGNDo
XnD/MvyHnKE4IYnXm4io2vhXEU4K92l8kRyqAgglmrZmOlgWINecXgbFalyNRMQZ
FveYjv/4yODR2IAKCJIGKI3bF4GAions6dXAmyaMZ9Y6H08xS91sFgS7TqFraK9p
W3OAbTglx12zdjGOh2KO8HC3C46g2JDTt6Vt1eYaaJDSZiWs3u1U+JI7ob5KuWEo
xqRSVfPRNzdbO/NSJ80LbDFFrCfu61hO+HYmuLlCDs6Db1Wt0zIYjma2JtMsbl4L
5Semh3J0UcxwoRK5+pMmKuzJ+Q+Qbr8FNIAx4rHbCXnPRTAHnecd+5WFIzHAezuf
wW2z5j7jHqofSmPDcaoEZsw9Ar6LE3Edf9L3li1D7A2klI+vULRsd+41SzH4WgG0
+SeNogL+2SH8dB8KCLYpxayBMr8iCvHhr8DohkLJfRRJy0+ib1avuilnq3xDTIZq
BvrvcSoJS3CiJg51M29upGXjH5fOyu5zhAYdq6nF6srmx5Lqd8AHLbYu/uxcMwmp
A6Nm2aQI48wT5J3gJ21i
=uDpa
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.