2015-06-16 19:41 GMT+02:00 Tristan Cacqueray <tdecacqu at redhat.com>: > ===================================================================== > OSSA-2015-011: Cinder host file disclosure through qcow2 backing file > ===================================================================== > > :Date: June 16, 2015 > :CVE: CVE-2015-1850 > > > Affects > ~~~~~~~ > - Cinder: versions through 2014.1.4, > and 2014.2 versions through 2014.2.3, > and version 2015.1.0 > > > Description > ~~~~~~~~~~~ > Bastian Blank from credativ reported a vulnerability in Cinder. By > overwriting an image with a malicious qcow2 header, an authenticated > user may mislead Cinder upload-to-image action, resulting in > disclosure of any file from the Cinder server. All Cinder setups are > affected. > > > Patches > ~~~~~~~ > - https://review.openstack.org/191871 (Icehouse) > - https://review.openstack.org/191865 (Juno) > - https://review.openstack.org/191786 (Kilo) > - https://review.openstack.org/191785 (Liberty) > > > Credits > ~~~~~~~ > - Bastian Blank from Credativ (CVE-2015-1850) > > > References > ~~~~~~~~~~ > - https://launchpad.net/bugs/1415087 > - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1850 > > > Notes > ~~~~~ > - This fix will be included in future 2014.1.5 (icehouse), 2014.2.4 > (juno) and 2015.1.1 (kilo) releases. > There were discussions about not issueing stable point releases anymore. Will there be new releases or not ? Regards, H. > -- > Tristan Cacqueray > OpenStack Vulnerability Management Team > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack at lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >