Ubuntu Security Notice 3446-1 - Hemanth Makkapati discovered that OpenStack Glance incorrectly handled access restrictions. A remote authenticated user could use this issue to change the status of images, contrary to access restrictions. Mike Fedosin and Alexei Galkin discovered that OpenStack Glance incorrectly handled the storage quota. A remote authenticated user could use this issue to consume disk resources, leading to a denial of service. Various other issues were also addressed.
c2b70a7ccfc102af1ef9b25ac50e9320f7bcc8f428ac519c5a48bf065d703413
==========================================================================
Ubuntu Security Notice USN-3446-1
October 11, 2017
glance vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in OpenStack Glance.
Software Description:
- glance: OpenStack Image Registry and Delivery Service
Details:
Hemanth Makkapati discovered that OpenStack Glance incorrectly handled
access restrictions. A remote authenticated user could use this issue to
change the status of images, contrary to access restrictions.
(CVE-2015-5251)
Mike Fedosin and Alexei Galkin discovered that OpenStack Glance incorrectly
handled the storage quota. A remote authenticated user could use this issue
to consume disk resources, leading to a denial of service. (CVE-2015-5286)
Erno Kuvaja discovered that OpenStack Glance incorrectly handled the
show_multiple_locations option. When show_multiple_locations is enabled,
a remote authenticated user could change an image status and upload new
image data. (CVE-2016-0757)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
glance-common 1:2014.1.5-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3446-1
CVE-2015-5251, CVE-2015-5286, CVE-2016-0757
Package Information:
https://launchpad.net/ubuntu/+source/glance/1:2014.1.5-0ubuntu1.1