Br, Federico -- Future Internet is closer than you think! http://www.fiware.org Official Mirantis partner for OpenStack Training https://www.create-net.org/community/openstack-training -- Dr. Federico M. Facca CREATE-NET Via alla Cascata 56/D 38123 Povo Trento (Italy) P +39 0461 312471 M +39 334 6049758 E federico.facca at create-net.org T @chicco785 W www.create-net.org ---------- Forwarded message ---------- From: Tristan Cacqueray <tdecacqu at redhat.com> Date: Fri, Oct 2, 2015 at 5:00 PM Subject: [openstack-announce] [OSSA 2015-020] Glance storage overrun (CVE-2015-5286) To: openstack-announce at lists.openstack.org, openstack at lists.openstack.org ===================================== OSSA-2015-020: Glance storage overrun ===================================== :Date: October 01, 2015 :CVE: CVE-2015-5286 Affects ~~~~~~~ - Glance: <=2014.2.3, >=2015.1.0, <=2015.1.1 Description ~~~~~~~~~~~ Mike Fedosin and Alexei Galkin from Mirantis reported a vulnerability in Glance. By deleting images that are being uploaded using a token that is about to expire, a malicious user can overcome the storage quota and accumulate untracked image data in the backend resulting in potential resource exhaustion and denial of service. All Glance setups using the V1 API are affected and all setups using the V2 API with the registry db_api enabled are affected. Patches ~~~~~~~ - https://review.openstack.org/229946 (Juno) - https://review.openstack.org/229975 (Juno) - https://review.openstack.org/229945 (Kilo) - https://review.openstack.org/229973 (Kilo) - https://review.openstack.org/230056 (Liberty) - https://review.openstack.org/229972 (Liberty) - https://review.openstack.org/229943 (Mitaka) - https://review.openstack.org/229971 (Mitaka) Credits ~~~~~~~ - Mike Fedosin from Mirantis (CVE-2015-5286) - Alexei Galkin from Mirantis (CVE-2015-5286) References ~~~~~~~~~~ - https://bugs.launchpad.net/bugs/1498163 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5286 Notes ~~~~~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases. -- Tristan Cacqueray OpenStack Vulnerability Management Team _______________________________________________ OpenStack-announce mailing list OpenStack-announce at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-lab-federation-nodes/attachments/20151002/18a4388b/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 484 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-lab-federation-nodes/attachments/20151002/18a4388b/attachment.pgp>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy