Thierry Carrez (thierry) reports: Title: Backend credentials leak in Glance v1 API Reporter: Stuart McLaren (HP) Products: Glance Affects: All versions Description: Stuart McLaren from HP reported a vulnerability in the information potentially returned to the user in Glance v1 API. If an authenticated user requests, through the v1 API, an image that is already cached, the headers returned may disclose the Glance operator's backend credentials for that endpoint. Only setups accepting the Glance v1 API and using either the single-tenant Swift store or S3 store are affected. Proposed patches: See attached patches. Unless a flaw is discovered in them, these patches will be merged to Glance master (Grizzly), stable/folsom, and stable/essex branches on the public disclosure date.
Created attachment 708714 [details] stable-essex-CVE-2013-1840.patch
Created attachment 708716 [details] stable-folsom-CVE-2013-1840.patch
Created attachment 708718 [details] grizzly-CVE-2013-1840.patch
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1840 http://www.openwall.com/lists/oss-security/2013/03/14/15 https://bugs.launchpad.net/glance/+bug/1135541 https://review.openstack.org/#/c/24437/ https://review.openstack.org/#/c/24438/ https://review.openstack.org/#/c/24439/ http://www.ubuntu.com/usn/USN-1764-1 http://www.securityfocus.com/bid/58490 http://osvdb.org/91304 http://secunia.com/advisories/52565 http://xforce.iss.net/xforce/xfdb/82878
Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Stuart McLaren (HP) as the original reporter.
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0707 https://rhn.redhat.com/errata/RHSA-2013-0707.html