[Openstack-operators] glance directory traversal bug and havana

Abel Lopez alopgeek at gmail.com
Thu Jan 8 17:40:29 UTC 2015


You might be running an older Havana, IIRC the bug lists Havana3 and Havana4 as vulnerable.

> On Jan 7, 2015, at 8:47 PM, George Shuklin <george.shuklin at gmail.com> wrote:
> 
> I spend few hours trying to backport to Havana, but than I found,  that Havana seems be immune to the bug.  I'm not 100% sure, so someone else advised to look too.
> 
> The bug was that icehouse+ accepts all supported schemas. Fix excludes 'bad' schemes. Although Havana have explicitly given list of accepted schemes for location field, and 'bad' schemes are not in it.
> 
> On Jan 6, 2015 8:34 PM, "Jesse Keating" <jlk at bluebox.net <mailto:jlk at bluebox.net>> wrote:
> Hopefully all of you have seen http://seclists.org/oss-sec/2015/q1/64 <http://seclists.org/oss-sec/2015/q1/64> which is the glance v2 api directory traversal bug. Upstream has fixed master (kilo) and juno, but havana has not been fixed.
> 
> We, unfortunately, have a few havana installs out there and we'd like to patch this ahead of our planned upgrade to Juno. I'm curious if anybody else out there is in the same situation and is working on backporting the glance patch. If not, I'll share the patch when I'm done, but if so I'd love to share in the work and help the effort.
> 
> Cheers, and happy patching!
> 
> -- 
> -jlk
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org <mailto:OpenStack-operators at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150108/96e3a550/attachment.html>


More information about the OpenStack-operators mailing list