Your message dated Fri, 09 Nov 2012 18:02:30 +0000 with message-id <e1twsuu-0007pg...@franck.debian.org> and subject line Bug#692641: fixed in glance 2012.1.1-3 has caused the Debian Bug report #692641, regarding CVE-2012-4573: Authentication bypass for image deletion to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 692641: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692641 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: glance Version: 2012.1.1-1.1 Severity: critical Gabe Westmaas from Rackspace reported a vulnerability in Glance authentication of image deletion requests. Authenticated users may be able to delete arbitrary, non-protected images from Glance servers. Only Folsom/Grizzly deployments that expose the v1 API are affected by this vulnerability. Additionally, Essex deployments that use the delayed_delete option are also affected. Below is the proposed patch. Thomas diff --git a/glance/api/v1/images.py b/glance/api/v1/images.py index 9bedf20..2684454 100644 --- a/glance/api/v1/images.py +++ b/glance/api/v1/images.py @@ -738,10 +738,10 @@ class Controller(controller.BaseController): # to delete the image if the backend doesn't yet store it. # See https://bugs.launchpad.net/glance/+bug/747799 try: + registry.delete_image_metadata(req.context, id) if image['location']: schedule_delete_from_backend(image['location'], self.conf, req.context, id) - registry.delete_image_metadata(req.context, id) except exception.NotFound, e: msg = ("Failed to find image to delete: %(e)s" % locals()) for line in msg.split('\n'): -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: glance Source-Version: 2012.1.1-3 We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 692...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 09 Nov 2012 18:38:02 +0000 Source: glance Binary: python-glance glance-common glance-api glance-registry glance python-glance-doc Architecture: source all Version: 2012.1.1-3 Distribution: unstable Urgency: high Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: glance - OpenStack Image Service - metapackage glance-api - OpenStack Image Service - API server glance-common - OpenStack Image Service - common files glance-registry - OpenStack Image Service - registry server python-glance - OpenStack Image Service - Python client library python-glance-doc - OpenStack Image Service - Python library documentation Closes: 692641 Changes: glance (2012.1.1-3) unstable; urgency=high . * New upstream patch for CVE-2012-4573. Previous patch is to be discarded, according to bcwaldon on IRC (Closes: #692641). Checksums-Sha1: f3403c2d9ea713a2b7781bc41932c0a2b56789e6 1971 glance_2012.1.1-3.dsc 476b78c53c837d41369b22d429963f646e3e76e7 25263 glance_2012.1.1-3.debian.tar.gz c9300cc6c85567ffa314f228825463781ded3ac4 235400 python-glance_2012.1.1-3_all.deb 1654d81944ed67b9cb393233a87add096d94b0e0 27444 glance-common_2012.1.1-3_all.deb 7ac468733a7fed3e4ac7e184ed886018e197089e 25442 glance-api_2012.1.1-3_all.deb 7d17a5065743a8465f8fa3e4cef321087148c8af 14700 glance-registry_2012.1.1-3_all.deb 23273ed3065d886a626fb3afe438c22125e648b5 5126 glance_2012.1.1-3_all.deb 4d7761eb8cc20da9c1f1ea4f0158c618e9654c2a 137748 python-glance-doc_2012.1.1-3_all.deb Checksums-Sha256: e75075dae087ef15fdb9ac7fdcbe0e73ca3d366fa3d02e912b396a1680eaf062 1971 glance_2012.1.1-3.dsc bc765a78698c6d8580c8c7317394b6f448593018a94ba791e2cd8b71f33ca6e5 25263 glance_2012.1.1-3.debian.tar.gz 77c6b9c722bf029747f7bb4478c26a3f87e4b61323f267facb2c962c68969a40 235400 python-glance_2012.1.1-3_all.deb 759da62035f9a9436ae15ed1be4e63787e222be84900cb1f03c94586f2ec3ec1 27444 glance-common_2012.1.1-3_all.deb a993389c1bd761b3af9def189d2e003c3d44b3a797abb13463a4f4765fadd5d9 25442 glance-api_2012.1.1-3_all.deb 42eea36f99243a1f3f96cd66689ba05a6cfa598ba48428aefac520f69f9a72ac 14700 glance-registry_2012.1.1-3_all.deb 0213ad1021797d29ad198afb83e397865b2a7fd96fda27b475c8de8b21ea83ba 5126 glance_2012.1.1-3_all.deb dced7320ff9d969b1cc98a2b9ee2522a2ffcc4e19aeb02187550d91cf6b97c0b 137748 python-glance-doc_2012.1.1-3_all.deb Files: cab9f67ccd274a5afb1e7da8927af6c2 1971 net extra glance_2012.1.1-3.dsc 885d8a2b4f392c1ce0b97f4010c83d1c 25263 net extra glance_2012.1.1-3.debian.tar.gz 110b7a451ae41159e4dbe32cd67bd5a6 235400 python extra python-glance_2012.1.1-3_all.deb f2d052b861261ac28498f5e2734ef545 27444 python extra glance-common_2012.1.1-3_all.deb b97926216ae966324667ec73337b045d 25442 python extra glance-api_2012.1.1-3_all.deb 87e7a64da28f79c582c5e880ab506608 14700 python extra glance-registry_2012.1.1-3_all.deb 52590257ca6eaef2a3e600f6c1096f1a 5126 python extra glance_2012.1.1-3_all.deb 5e8654b28a8147dd27da50b9ce6d748a 137748 doc extra python-glance-doc_2012.1.1-3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlCdUSQACgkQl4M9yZjvmkmtvQCgjO2Ol7+5wnBS5wsbvM8j5rec xLkAoJQtJAU1tR8o54x5RT7KfTB9o1f6 =Bw2N -----END PGP SIGNATURE-----
--- End Message ---
