Your message dated Thu, 08 Nov 2012 08:47:31 +0000 with message-id <e1twnlr-0006pu...@franck.debian.org> and subject line Bug#692641: fixed in glance 2012.1.1-2 has caused the Debian Bug report #692641, regarding CVE-2012-4573: Authentication bypass for image deletion to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 692641: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692641 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: glance Version: 2012.1.1-1.1 Severity: critical Gabe Westmaas from Rackspace reported a vulnerability in Glance authentication of image deletion requests. Authenticated users may be able to delete arbitrary, non-protected images from Glance servers. Only Folsom/Grizzly deployments that expose the v1 API are affected by this vulnerability. Additionally, Essex deployments that use the delayed_delete option are also affected. Below is the proposed patch. Thomas diff --git a/glance/api/v1/images.py b/glance/api/v1/images.py index 9bedf20..2684454 100644 --- a/glance/api/v1/images.py +++ b/glance/api/v1/images.py @@ -738,10 +738,10 @@ class Controller(controller.BaseController): # to delete the image if the backend doesn't yet store it. # See https://bugs.launchpad.net/glance/+bug/747799 try: + registry.delete_image_metadata(req.context, id) if image['location']: schedule_delete_from_backend(image['location'], self.conf, req.context, id) - registry.delete_image_metadata(req.context, id) except exception.NotFound, e: msg = ("Failed to find image to delete: %(e)s" % locals()) for line in msg.split('\n'): -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: glance Source-Version: 2012.1.1-2 We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 692...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 27 Aug 2012 12:05:22 +0000 Source: glance Binary: python-glance glance-common glance-api glance-registry glance python-glance-doc Architecture: source all Version: 2012.1.1-2 Distribution: unstable Urgency: high Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: glance - OpenStack Image Service - metapackage glance-api - OpenStack Image Service - API server glance-common - OpenStack Image Service - common files glance-registry - OpenStack Image Service - registry server python-glance - OpenStack Image Service - Python client library python-glance-doc - OpenStack Image Service - Python library documentation Closes: 681582 692641 Changes: glance (2012.1.1-2) unstable; urgency=high . * Added Chinese Debconf translation, thanks to ben <duyujie....@gmail.com>. * CVE-2012-4573: Authentication bypass for image deletion (Closes: #692641). * Fixes test_interrupt_avoids_respawn_storm fails when run under fakeroot disabling the tests (Closes: #681582). Also adds a || true since pep8 is neatpicking a source code line as too large. Checksums-Sha1: 412c20f208f8661d7b74f3800931940283236cc6 1971 glance_2012.1.1-2.dsc 304efa89b183629463fc03b4a1f9a6b67d8f1141 25347 glance_2012.1.1-2.debian.tar.gz 75ac6ec9eddd6ae75b00e94cf114761205a69c69 235314 python-glance_2012.1.1-2_all.deb 79299cc117310a97af279c8f62000c2043420a65 27366 glance-common_2012.1.1-2_all.deb 632dbfb50af139d26c08322f260029a260c45429 25394 glance-api_2012.1.1-2_all.deb d09c6c8ed3fce34b61b966af93ffbcd7bd25bad9 14636 glance-registry_2012.1.1-2_all.deb aa1ff0fa752c07c5977b95ccd7e09d01e3604a6f 5048 glance_2012.1.1-2_all.deb fc5d4e1b125e44ad24c7a1c46abcfae931b7603a 137682 python-glance-doc_2012.1.1-2_all.deb Checksums-Sha256: ace046400431bee53c3a618a4dc04bd110b56d2770c89dfe3086438b9c9156a2 1971 glance_2012.1.1-2.dsc a154322283cf73ff5276eff9855123be49dcfb1b685d821a9465d3f3074c5be2 25347 glance_2012.1.1-2.debian.tar.gz 40474559b5b77f5803539fef25290c95c3aeada78f66d8fca3e83400d1731444 235314 python-glance_2012.1.1-2_all.deb 5ee841581061276387b8e9e742b71bc347338a484e9feef03eb536fa1e223646 27366 glance-common_2012.1.1-2_all.deb 7a57db7c45f2fa90718760e19c0cf375398d63a91cc006dfe5bc61916023044b 25394 glance-api_2012.1.1-2_all.deb 85f522fee02c52b66342a0600dc763ebb6a5c12599029c0898df54527888bc30 14636 glance-registry_2012.1.1-2_all.deb e14a5aa5f86812709863abf6dc3f5ed59ee393bc617b701a31a82ef813554eed 5048 glance_2012.1.1-2_all.deb e02c979437349fdc598122ebbbeabc7d8cbaab3e06b349f2ff24bae189a56cae 137682 python-glance-doc_2012.1.1-2_all.deb Files: dd5864799553d99a66f5585f573fe648 1971 net extra glance_2012.1.1-2.dsc 103429e5547ef401cf0b868829ef4af3 25347 net extra glance_2012.1.1-2.debian.tar.gz 79b633b64a67f3168a37a44add6f46a8 235314 python extra python-glance_2012.1.1-2_all.deb 9cc437966a585432076634cff2da24f6 27366 python extra glance-common_2012.1.1-2_all.deb 2419ab11de9a15087d56ac7cd45076d9 25394 python extra glance-api_2012.1.1-2_all.deb 26b5987e2327ba967b4e8e2fa2a66789 14636 python extra glance-registry_2012.1.1-2_all.deb b95e405bbadd19a0d7a1ce8602bc3d34 5048 python extra glance_2012.1.1-2_all.deb d515f76b9347030c79a0f9ff3f23c10c 137682 doc extra python-glance-doc_2012.1.1-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlCbe9kACgkQl4M9yZjvmklJtgCfRqfrCXWZlWks1aVoeuTmQDH1 xEMAoJ0yr8/U2VNqCVN6rjTYZnrZsGfw =aQQg -----END PGP SIGNATURE-----
--- End Message ---
