OpenStack Security Advisory: 2014-012 CVE: CVE-2014-0162 Date: April 10, 2014 Title: Remote code execution in Glance Sheepdog backend Reporter: Paul McMillan (Nebula) Products: Glance Versions: from 2013.2 to 2013.2.3 Description: Paul McMillan from Nebula reported a vulnerability in Glance Sheepdog backend. By using a specially crafted location, a user allowed to insert or modify Glance image metadata may trigger code execution on the Glance host as the user the Glance service runs under. This may result in Glance host unauthorized access and further compromise of the Glance service. All setups using Glance server with the (enabled by default) sheepdog backend are affected. Juno (development branch) fix: https://review.openstack.org/86622 Icehouse (milestone-proposed branch) fix: https://review.openstack.org/86625 Havana fix: https://review.openstack.org/86626 Notes: This fix will be included in the icehouse-rc2 development milestone and in a future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0162 https://launchpad.net/bugs/1298698 -- Tristan Cacqueray OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 555 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140410/2ceff121/attachment.pgp>