Your message dated Tue, 16 Jun 2015 22:07:00 +0000
with message-id <e1z4z0w-00078a...@franck.debian.org>
and subject line Bug#788996: fixed in cinder
2015.1.0+2015.06.16.git26.9634b76ba5-1
has caused the Debian Bug report #788996,
regarding CVE-2015-1850: [OSSA 2015-011] Cinder host file disclosure through
qcow2 backing file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
788996: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788996
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cinder
Severity: grave
Tags: security patch
=====================================================================
OSSA-2015-011: Cinder host file disclosure through qcow2 backing file
=====================================================================
:Date: June 16, 2015
:CVE: CVE-2015-1850
Affects
~~~~~~~
- Cinder: versions through 2014.1.4,
and 2014.2 versions through 2014.2.3,
and version 2015.1.0
Description
~~~~~~~~~~~
Bastian Blank from credativ reported a vulnerability in Cinder. By
overwriting an image with a malicious qcow2 header, an authenticated
user may mislead Cinder upload-to-image action, resulting in
disclosure of any file from the Cinder server. All Cinder setups are
affected.
Patches
~~~~~~~
- https://review.openstack.org/191871 (Icehouse)
- https://review.openstack.org/191865 (Juno)
- https://review.openstack.org/191786 (Kilo)
- https://review.openstack.org/191785 (Liberty)
Credits
~~~~~~~
- Bastian Blank from Credativ (CVE-2015-1850)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1415087
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1850
Notes
~~~~~
- This fix will be included in future 2014.1.5 (icehouse), 2014.2.4
(juno) and 2015.1.1 (kilo) releases.
--- End Message ---
--- Begin Message ---
Source: cinder
Source-Version: 2015.1.0+2015.06.16.git26.9634b76ba5-1
We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 788...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated cinder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 16 Jun 2015 22:36:48 +0200
Source: cinder
Binary: python-cinder cinder-common cinder-api cinder-volume cinder-scheduler
cinder-backup
Architecture: source all
Version: 2015.1.0+2015.06.16.git26.9634b76ba5-1
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
cinder-api - OpenStack block storage system - API server
cinder-backup - OpenStack block storage system - Backup server
cinder-common - OpenStack block storage system - common files
cinder-scheduler - OpenStack block storage system - Scheduler server
cinder-volume - OpenStack block storage system - Volume server
python-cinder - OpenStack block storage system - Python libraries
Closes: 788996
Changes:
cinder (2015.1.0+2015.06.16.git26.9634b76ba5-1) unstable; urgency=high
.
* New upstream release (based on commit 26th g9634b76):
- Addresses CVE-2015-1850 / OSSA 2015-011 (Closes: #788996).
Checksums-Sha1:
4abb1cf3d98887c45179a27f17f071d88b861074 3758
cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.dsc
2f9fa5f18e1075b73ffc888564e937dc2a2e10ba 1423016
cinder_2015.1.0+2015.06.16.git26.9634b76ba5.orig.tar.xz
cc12a735f3257ef1126be37dbcfed21ec20ef5dc 54760
cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.debian.tar.xz
c098d613d123dadbb85caf4a9453097c075e4bee 23288
cinder-api_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
95a3e871dfaff671cc8e9bd003f48f51b51ef71a 9354
cinder-backup_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
1ca10181fbf426c9a2199134be38f50fdf73b61c 26744
cinder-common_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
99475d198f42907098c7763d9d12883830538236 9676
cinder-scheduler_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
6452b1f0c148e07cce323482ed6340d7a3717a3e 18584
cinder-volume_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
2f85cd797282ac29a80435596c2ed00e0d5c10a6 1195396
python-cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
Checksums-Sha256:
1d38997aee7ebb2b850b85b931c7171138ebd9cacbf2a2d69c013c2dd19a7537 3758
cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.dsc
ac92f2c5670c9d39ebb8785330f758d600aa13952ed2f8231222be68b711b816 1423016
cinder_2015.1.0+2015.06.16.git26.9634b76ba5.orig.tar.xz
dcc2747ecab1057cf397c187a39719d0cdbf3cf7dc7dd283fa788d96e601b216 54760
cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.debian.tar.xz
8d0c97d54226dc1dd0207649061aac3565d429c8150059ce1f3a33a348839ffc 23288
cinder-api_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
55fb4f4f58356a0dd64780141691d289183a8c932c8015ab7e49da98690fdd34 9354
cinder-backup_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
e8887c242604a182bdc58e9e3ddbad994fa1a1b7b8ce468bd363327eb7917154 26744
cinder-common_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
d93eac8c2992fcd4f50fec167699317f595bfe4497ce832567c1c55c7d93e6d2 9676
cinder-scheduler_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
6d3225757d71adf790cab47522082ced9b5c8e0b01e84471a1a51db290edf65a 18584
cinder-volume_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
2ea088090a0525701b8145144c1c2ec63a32353d73f75407487d2e07a9c91340 1195396
python-cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
Files:
7245753c95ed6a42e7c3fcdfebd701b2 3758 net extra
cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.dsc
0cd4e00f04281794a83577a77a729734 1423016 net extra
cinder_2015.1.0+2015.06.16.git26.9634b76ba5.orig.tar.xz
5f070cd49cb7a90cc60503c4e04f7a00 54760 net extra
cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1.debian.tar.xz
3613e787cd6b9e386ffdd984e885e6e3 23288 net extra
cinder-api_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
3fcef046f7a62e8c2ba07389888f32d3 9354 net extra
cinder-backup_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
3a89ae96e0715fa6f356698b7a234e61 26744 net extra
cinder-common_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
761bce9547d4d824dd3fe1a1109cf1fb 9676 net extra
cinder-scheduler_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
06a849a18f1920edcb904322b0b38dd0 18584 net extra
cinder-volume_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
3bd51e8014c7f5ad35f13889fb420c89 1195396 python extra
python-cinder_2015.1.0+2015.06.16.git26.9634b76ba5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVgI2DAAoJENQWrRWsa0P+ZfkP/3yC83YXpoIdbyCqejLaMT4j
EEqj9mi22wgR2zS/PwYREgF7kLDFud1jSOQLdQkGQArdEh3gYr/uUi/Y0DxPOVEs
Dq3Z6M5B4olCB2RvpcNeLAddAYM0twA7gWmkIu5fZpZ1t0jUlStzoY6N+7/pnx7a
TfF/0INcePwsSC3gC+RrVxpgTsY5LDM3cFtFTjypbSycFvhDmpwNnd3MBfL+Q4lC
l5/LpzPQ/r7r5t9ME3ubIDUR9+MV4VEfW5nHbOOQuAwZl3/8Rpwyp2FozW1coc0V
kavos6WGcXdkK4YWGqNNHkCpDvPLfKIjlEtXFTjphLMxJRpm/G3zUhw5Vz9NQFQ1
QPi8y1hEMBMIDiAcBPa+IxUSFTh3+YJkFFnu+SnzG+PkRCdV6bsuBSQ+HIH6rVWf
8ziRPG9Qq526xM4w8Tn2NEicHzI7010nYenNcCzl/S/hjxggSWMmw6kUQhXvkaJj
K1gDhnbZPssXboWVJ5dMuzKBnbVxmpZ4fO7FIY0oaZYAHE9XQZRLL1Iev/OcEjrQ
Y4JcyqdEBZU9XUidN1d89scO8S3HKdI5ld1eDgS0wagEJoX32IKaLL6WgTDJPbbD
HrAm6PIWoUAVjx8/MzsAdXVB8hRNx7qXFKPFj7eXgsqirdm/wXOyD95WXArw4Awd
P9jS7WvOwrRWwcC3is7U
=ru8s
-----END PGP SIGNATURE-----
--- End Message ---
