Bug#775926: marked as done (CVE-2015-1195: Glance still allows users to download and delete any file in glance-api server)

[Debian Bug Tracking System]

Your message dated Wed, 21 Jan 2015 16:48:31 +0000
with message-id <e1ydysf-0008el...@franck.debian.org>
and subject line Bug#775926: fixed in glance 2014.1.3-11
has caused the Debian Bug report #775926,
regarding CVE-2015-1195: Glance still allows users to download and delete any 
file in glance-api server
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
775926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775926
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: glance
Version: 2014.1.3-10
Severity: critical
Tags: security patch

Title: Glance v2 API unrestricted path traversal through filesystem://
       scheme
Reporter: Jin Liu (EMC)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.1

Description:
Jin Liu from EMC reported that path traversal vulnerabilities in Glance
were not fully patched in OSSA 2014-041. By setting a malicious image
location to a filesystem:// scheme an authenticated user can still
download or delete any file on the Glance server for which the Glance
process user has access to. Only setups using the Glance V2 API are
affected by this flaw.

Kilo (development branch) fix:
https://review.openstack.org/145640

Juno fix:
https://review.openstack.org/145916

Icehouse fix:
https://review.openstack.org/145974

--- End Message ---

--- Begin Message ---

Source: glance
Source-Version: 2014.1.3-11

We believe that the bug you reported is fixed in the latest version of
glance, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated glance package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 21 Jan 2015 16:13:33 +0000
Source: glance
Binary: python-glance glance python-glance-doc glance-common glance-api 
glance-registry
Architecture: source all
Version: 2014.1.3-11
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
 glance     - OpenStack Image Service - metapackage
 glance-api - OpenStack Image Service - API server
 glance-common - OpenStack Image Service - common files
 glance-registry - OpenStack Image Service - registry server
 python-glance - OpenStack Image Service - Python client library
 python-glance-doc - OpenStack Image Service - Python library documentation
Closes: 775926
Changes:
 glance (2014.1.3-11) unstable; urgency=high
 .
   * CVE-2015-1195: fixes "Glance still allows users to download and delete any
     file in glance-api server" by applying upstream patch (Closes: #775926).
Checksums-Sha1:
 373f93b548463a6c012cb97faaca429fbcae8c1d 3442 glance_2014.1.3-11.dsc
 35debdaba27c16b36bf58683308c19fd39e3cfb3 40104 glance_2014.1.3-11.debian.tar.xz
 df70b5aab86e2a1bddc1e42d490729be44eb870a 407936 
python-glance_2014.1.3-11_all.deb
 31b90aeb63dbf4c4e233bc3a9c2ef542f9293a8a 9586 glance_2014.1.3-11_all.deb
 1b66bf4d399ef3ccbde3c7055d680b977796deed 215510 
python-glance-doc_2014.1.3-11_all.deb
 129887f4aec94e2dd9fea3e9c4caa9233e818764 43492 
glance-common_2014.1.3-11_all.deb
 7da5d30a57b4897bbef0835959032eb31fe68a13 39130 glance-api_2014.1.3-11_all.deb
 12552cc078c0e18b96fad658dea6ca8fbd708719 14332 
glance-registry_2014.1.3-11_all.deb
Checksums-Sha256:
 d98a9204c2f6f40f09a1465cefe39cdef6effb3f614a20556acba2f5f231a495 3442 
glance_2014.1.3-11.dsc
 b8612b70da748bb6bc0f3dec957ec2683af74c5b564bec4e61026c86c8784aa7 40104 
glance_2014.1.3-11.debian.tar.xz
 2ae85b0a487fb06fd635cd22c7e7cda9a274f386fa8cbaf42aa024a79fac793a 407936 
python-glance_2014.1.3-11_all.deb
 0cf1a7feac540ee1ff8d09202409a47e458e95d6cdbd47be7ff298365091065d 9586 
glance_2014.1.3-11_all.deb
 78a799b7ea126de35cc2f45a2c3950f36b0a57997f3cfdbc19fc3b6efded6699 215510 
python-glance-doc_2014.1.3-11_all.deb
 34ab16f83f71c7717c5e543b9bbab9a7c81e82bcc57785b455d1edf464df19c8 43492 
glance-common_2014.1.3-11_all.deb
 159ed75021a7eb6466c559dc0d3ea61e6afeb59209fa00502ced17cbde071ae0 39130 
glance-api_2014.1.3-11_all.deb
 c3f36e73d803c36087f885a290748c8adf5e71433a149f2c4d8f8a787851826f 14332 
glance-registry_2014.1.3-11_all.deb
Files:
 b6cfeedbc7f69acaf4288d63f0fc7274 3442 net extra glance_2014.1.3-11.dsc
 e347a1b2fc36c7e318c6d391c523a778 40104 net extra 
glance_2014.1.3-11.debian.tar.xz
 e41cb2fc55be1b660125c462e7c5771f 407936 python extra 
python-glance_2014.1.3-11_all.deb
 182ef02475f0e21356ed9bd6a4a809cc 9586 python extra glance_2014.1.3-11_all.deb
 5b08ed6c5dccd59f72554ce0214f88a9 215510 doc extra 
python-glance-doc_2014.1.3-11_all.deb
 20bc1f81024e849f243ed05a083e2f9c 43492 python extra 
glance-common_2014.1.3-11_all.deb
 a1520c4704bd38b68f572a1fc383b8dd 39130 python extra 
glance-api_2014.1.3-11_all.deb
 50f0e781529a39684712a1d874abf2bc 14332 python extra 
glance-registry_2014.1.3-11_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUv9WcAAoJENQWrRWsa0P+Y6YP/2dN/QFN6HTaiD2IhWXpaint
xbAuzRhxJigIxKQZpaEw+qlk/P1nC6wb7ctcfczUL8iDkipt0iGse5MrBRFnUYMG
158/zzDFdOKVJEcmEEw+m8QFGr2N+eVceq2+nKWi2qzVdi3KExbIwdTNauNMbInt
f4KR2umCjDplUQahjRdPSdXtsjJH9gNf0sYyqdo/MA49xZeW3u0ygiLu7ak5Gsd3
HAiJ4vg1SN3rv1e7PFHQmdfcnOe7yTXH8JXn6Iptby4M1u/6cpK08fhI3i9PPvSu
4eCSRIuisaiz0sv8O4Jk+eOTESrpZRA86WXq+rA8LwhXYUJvFZ9ssdIGzfQsJPQ2
zuKxZIs8XI7kRPsIXyNBR+c+WZZOrqHymSkiItykx11/z8CD6DBbHdNY1biTtj3e
quy8L8UzAE7O4sW9XJrk+9AcP9qXwayRKbExZUYovewZpGBzXJ/z9UtJbgQpJKMV
fFSipwD1XySv5BQbZ6twXjD4vuSoqslM9GcV9XKT2NiEdRIQJN1TIRMAHEiI6YIu
o+xE0A9EGJdiDWRcV1HiKx6gH4vQCHd8jM7giPdjQUoJvS/GK+PIW9aamW7gqUuj
J88m2l8cgBbgEVKwxsHG++TYHC8P+emZolnSUVtjARavfeQvyTli/+jBgMfcnOS2
OQqLrShFEimRhMAEv0m9
=IWl5
-----END PGP SIGNATURE-----

--- End Message ---