UbuntuUpdates.org

Package "glance"

Name: glance

Description:

OpenStack Image Registry and Delivery Service - Daemons

Latest version: 1:2014.1.5-0ubuntu1.1
Release: trusty (14.04)
Level: security
Repository: main
Homepage: http://launchpad.net/glance

Links


Download "glance"


Other versions of "glance" in Trusty

Repository Area Version
base main 1:2014.1-0ubuntu1
updates main 1:2014.1.5-0ubuntu1.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:2014.1.5-0ubuntu1.1 2017-10-11 12:06:53 UTC

  glance (1:2014.1.5-0ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: access restrictions bypass via status changing
    - debian/patches/CVE-2015-5251.patch: prevent image status being
      directly modified in glance/api/v1/__init__.py,
      glance/api/v1/images.py, glance/tests/functional/v1/test_api.py,
      glance/tests/integration/legacy_functional/test_v1_api.py,
      test-requirements.txt.
    - CVE-2015-5251
  * SECURITY UPDATE: storage quota bypass
    - debian/patches/CVE-2015-5286.patch: cleanup chunks for deleted image
      if token expired in glance/api/v1/upload_utils.py,
      glance/api/v2/image_data.py.
    - CVE-2015-5286
  * SECURITY UPDATE: image status manipulation through locations removal
    - debian/patches/CVE-2016-0757.patch: prevent user from removing last
      location of the image in glance/api/v2/images.py,
      glance/tests/functional/v2/test_images.py,
      glance/tests/unit/v2/test_images_resource.py.
    - CVE-2016-0757

 -- Marc Deslauriers <email address hidden> Fri, 25 Aug 2017 13:10:04 -0400

Source diff to previous version
CVE-2015-5251 OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of
CVE-2015-5286 OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage q
CVE-2016-0757 OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote aut

Version: 1:2014.1.2-0ubuntu1.1 2014-08-21 20:06:37 UTC

  glance (1:2014.1.2-0ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Enforce image_size_cap on v2 upload
    - debian/patches/CVE-2014-5356.patch: ensure image_size_cap should be
      checked and enforced on upload
    - CVE-2014-5356
    - LP: #1315321
 -- Jamie Strandboge <email address hidden> Thu, 21 Aug 2014 09:22:53 -0500

1315321 [OSSA 2014-028] image_size_cap not checked in v2 (CVE-2014-5356)
CVE-2014-5356 Glance store DoS through disk space exhaustion



About   -   Send Feedback to @ubuntu_updates