atom feed1 message in net.launchpad.lists.openstack[Openstack] [OSSA 2013-002] Backend p...
FromSent OnAttachments
Thierry CarrezJan 29, 2013 12:06 pm 
Subject:[Openstack] [OSSA 2013-002] Backend password leak in Glance error message (CVE-2013-0212)
From:Thierry Carrez (thie@openstack.org)
Date:Jan 29, 2013 12:06:43 pm
List:net.launchpad.lists.openstack

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

OpenStack Security Advisory: 2013-002 CVE: CVE-2013-0212 Date: January 29, 2013 Title: Backend password leak in Glance error message Reporter: Dan Prince (Red Hat) Products: Glance Affects: All versions

Dan Prince of Red Hat discovered an issue in Glance error reporting. By creating an image in Glance by URL that references a mis-configured Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image references for any reason becomes unusable, an authenticated user may access the Glance operator's Swift credentials for that endpoint. Only setups that use the single-tenant Swift store are affected.

Grizzly (development branch) fix: http://github.com/openstack/glance/commit/e96273112b5b5da58d970796b7cfce04c5030a89

Folsom fix (included in upcoming Glance 2012.2.3 stable update): http://github.com/openstack/glance/commit/96a470be64adcef97f235ca96ed3c59ed954a4c1

Essex fix: http://github.com/openstack/glance/commit/37d4d96bf88c2bf3e7e9511b5e321cf4bed364b7

References: https://bugs.launchpad.net/glance/+bug/1098962 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0212

iQIcBAEBCAAGBQJRCCvqAAoJEFB6+JAlsQQj9scP/1bQzhQ5lA/jNoPIPMlUKOr4 NlrT9+QA6pF3xOjTQeyViTTUfMn1YHdOTS8bi/NeSlL3UuEhpdCb59APwqmZva3u Tx+so6L3nc5qNRdDAAr6oNBYmD08T41ceLpzjv9BbTgPxD4gUCg9WeySBAa+I7MU 1w1hvhObhQWZ8Xvqf/2tKTrMpGuJOS/0aoMSQUMqFR47moyYgBznNT6J3FaC3haE jRh4RSv7XKN2MU0Cv05m/txXNUTP6rtl+qAiGW9UZvhTHY/kafaJLi/HuGkmANf0 fkuoKL5VxFYoIbHDlJ+ymPUz/jgoZJNkvvmS5mQH7YFBdgAvzAIAYJ4jk8uOMMmo AHqaVdfZYCWRP6pMDzjnU5EGhRrgt2RafWsnU8MyYePrF3G8dcikvQlIki+PlmPT +zXjPoIsirFJh3XSTRNbUDwIww6AuBbhxgJD78NhQY/12MC5zELOasWcpTKPyvLs HTIe8AbVLf5Z0blZdUZHGlzFBQlgPU3ydIjY1UStWPYNCQs2hTrtoq9y68LmDzix jRQ3jmKhMGsLwlrcskSyD/1qGGD6NNPRJwME7pXspy7mBlN0LS9OLRwhYHTzNGwx YTSKhy12xooqYkaJncZEduTBKwMJLMwk/HZxD7KRuKPM7xoK64mkyz/03rUsQORj na6Kqw9rcPfJG0jfh3/c =PyUp -----END PGP SIGNATURE-----