Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <52669A31.8060009@openstack.org>
Date: Tue, 22 Oct 2013 17:30:57 +0200
From: Thierry Carrez <thierry@...nstack.org>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: [OSSA 2013-027] Glance image_download policy not enforced for cached
 images (CVE-2013-4428)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-027
CVE: CVE-2013-4428
Date: October 22, 2013
Title: Glance image_download policy not enforced for cached images
Reporter: Stuart McLaren (HP)
Products: Glance
Affects: Grizzly, Folsom (and earlier versions)

Description:
Stuart McLaren from HP reported a vulnerability in Glance download_image
policy enforcement in the case of cached images. Deployers may opt to
set a download_image policy to restrict image download to specific
roles. However, when an image is previously cached by an authorized
download, any authenticated user could download image contents if it can
determine the image UUID, bypassing any download_image policy
restrictions. This could result in disclosure of image contents that
were thought to be protected by the download_image policy setting. Only
setups making use of the download_image policy are affected.

The Havana release (2013.2) is not affected.

Grizzly fix (included in 2013.1.4 recent release):
https://review.openstack.org/#/c/50103/

Folsom fix:
https://review.openstack.org/#/c/50860/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4428
https://bugs.launchpad.net/glance/+bug/1235378

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSZpoxAAoJEFB6+JAlsQQjGIcP/jH6o0gGVUxYcZxlE6sOZtCj
npshvXY1iEdgzegh+IT8CF3rJNSbC/01QOu0oLwmBLxrT/jF5nhgdlcB33ixuutV
K9bK47nKHJPma4pOaLAXRlJKLoogGJ1BJ4IQGLsQNE5HngTp2atD75+TwSpbifTa
5yR+Uc8+3zJzvwFkyPrxKRWk4lX2bu1QQkCZWkJCI63QI73N1rJOZ7j2oyX5xxra
lJEizl5gJ5CiD/I3R2LSH1o0i8BmbnSKUsB4qVv2RDtoW2AW1HW0v85HfAi9K18n
5Ze2znfl5rsa7aeS1ilSzg5hyYIQWEqccEfMAWxztyr3r99hCbtilFprpjvYM3h5
9Q1FmL4sWUOozpbqQZ36Jijw9UADxZaNAwi4HyoiZeoe08lST8KsPwXZQuPoy2do
IFpmKMo32un2NMCQbfyUQ4c3eQOLL1GVEKvbAuho1kX0EJ5BlfzMmS0+GzHrGm5c
UlJZ+BAvYyPoNNBplk+FHxgBUl5MTIl5hKVPCA5Evrs+xRysr2tTgovRyS1X5O8W
oNTBFmCI9aFu2cehAp629yR0oVVQBx2NE7UUJd8J9LuhW5YjHlpK9rhZTvyuTt+E
MNvsnX7NHZJe62pTg3TQl6ZJJWp9hZmZrE0jGDxluxPCSh2lD4TS3+Ree6jnsSrD
5s5N1mttexTCVndzfFPP
=y9Fg
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.