Thierry Carrez (thierry) reports on behalf of the OpenStack Project:
Title: Backend password leak in Glance error message
Reporter: Dan Prince (Red Hat)
Affects: All versions
Dan Prince of Red Hat discovered an issue in Glance error reporting. By
creating an image in Glance by URL that references a mis-configured
Swift endpoint, or if the Swift endpoint that a previously-ACTIVE image
references for any reason becomes unusable, an authenticated user may
access the Glance operator's Swift credentials for that endpoint. Only
setups that use the single-tenant Swift store are affected.
See attached patches for current development tree (Grizzly) and the
Folsom and Essex series. Unless a flaw is discovered in them, these
proposed patches will be merged to Glance master, stable/folsom and
stable/essex branches on the public disclosure date.
Created attachment 685412 [details]
Created attachment 685413 [details]
Created attachment 685414 [details]
This issue was discovered by Dan Prince of Red Hat.
This is now public: https://bugs.launchpad.net/glance/+bug/1098962
This issue has been addressed in following products:
OpenStack Folsom for RHEL 6
Via RHSA-2013:0209 https://rhn.redhat.com/errata/RHSA-2013-0209.html
openstack-glance-2012.2.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.