Dr. Federico Michele Facca Head of Martel Lab Martel Innovate Dorfstrasse 73 - 3073 Gümligen (Switzerland) 0041 78 807 58 38 0041 31 994 25 25 martel-innovate.com <http://martel-innovate.com/> > Begin forwarded message: > > From: Jeremy Stanley <fungi at yuggoth.org> > Subject: [Openstack] [OSSA 2016-012] Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova (CVE-2015-5162) > Date: 6 October 2016 at 21:42:34 GMT+2 > To: openstack-announce at lists.openstack.org, openstack at lists.openstack.org > > ================================================================ > OSSA-2016-012: Malicious qemu-img input may exhaust resources in > Cinder, Glance, Nova > ================================================================ > > :Date: October 06, 2016 > :CVE: CVE-2015-5162 > > > Affects > ~~~~~~~ > - Cinder: <=7.0.2, >=8.0.0 <=8.1.1 > - Glance: <=11.0.1, ==12.0.0 > - Nova: <=12.0.4, ==13.0.0 > > > Description > ~~~~~~~~~~~ > Richard W.M. Jones of Red Hat reported a vulnerability that affects > OpenStack Cinder, Glance and Nova. By providing a maliciously > crafted disk image an attacker can consume considerable amounts of > RAM and CPU time resulting in a denial of service via resource > exhaustion. Any project which makes calls to qemu-img without > appropriate ulimit restrictions in place is affected by this flaw. > > > Patches > ~~~~~~~ > - https://review.openstack.org/382573 (cinder) (Liberty) > - https://review.openstack.org/378012 (glance) (Liberty) > - https://review.openstack.org/327624 (nova) (Liberty) > - https://review.openstack.org/375625 (cinder) (Mitaka) > - https://review.openstack.org/377736 (glance) (Mitaka) > - https://review.openstack.org/326327 (nova) (Mitaka) > - https://review.openstack.org/375102 (cinder) (Newton) > - https://review.openstack.org/377734 (glance) (Newton) > - https://review.openstack.org/307663 (nova) (Newton) > - https://review.openstack.org/375099 (cinder) (Ocata) > - https://review.openstack.org/375526 (glance) (Ocata) > > > Credits > ~~~~~~~ > - Richard W.M. Jones from Red Hat (CVE-2015-5162) > > > References > ~~~~~~~~~~ > - https://launchpad.net/bugs/1449062 > - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5162 > > > Notes > ~~~~~ > - Separate Ocata patches are listed for Cinder and Glance, as they > were fixed during the Newton release freeze after it branched from > master. > > > -- > Jeremy Stanley > OpenStack Vulnerability Management Team > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack at lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-lab-federation-nodes/attachments/20161013/853ce19e/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy