Skip to navigation

Security Advisory Low: openstack-glance security update

Advisory: RHSA-2012:1558-1
Type: Security Advisory
Severity: Low
Issued on: 2012-12-10
Last updated on: 2012-12-10
Affected Products: Red Hat OpenStack Essex
CVEs (cve.mitre.org): CVE-2012-4573

Details

Updated openstack-glance packages that fix multiple bugs and add various
enhancements are now available for Red Hat OpenStack Essex.

The openstack-glance packages allows virtual machine images to be discovered,
registered and retrieved. It also includes a RESTful API to provide these
services to other applications.

The openstack-glance packages have been upgraded to upstream version 2012.1.2,
which provide a number of bug fixes and enhancements over the previous version.

A flaw in Keystone allowed an attacker with access to the web and network
interfaces to delete arbitrary, non-protected images from Glance servers.
(CVE-2012-4573)

Red Hat would like to thank the OpenStack project for reporting this
issue. Upstream acknowledges Gabe Westmaas as the original reporter of
CVE-2012-4573.

All users of openstack-glance are advised to upgrade to these updated packages,
which fix these bugs and add these enhancements. After installing the updated
packages, the Glance services (openstack-glance-api and
openstack-glance-registry) will be restarted automatically.


Solution

Before applying this update, make sure all previously-released errata relevant
to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat OpenStack Essex

SRPMS:
openstack-glance-2012.1.2-2.el6.src.rpm     MD5: 40cf7ae924aeb0e3553136965f41d64a
SHA-256: 4b144969a4a119ff7b03e492786481408e8d19ce869eae4c23ef025f493051a5
 
x86_64:
openstack-glance-2012.1.2-2.el6.noarch.rpm     MD5: d25210bbd4360d633940bd6d3147fd42
SHA-256: 2c1ff844428d4225972a3a9d7b56bae076f9afc28374430ab71d677a3d798714
openstack-glance-doc-2012.1.2-2.el6.noarch.rpm     MD5: e261a7052ad5a84d12e406f214189502
SHA-256: c6064b717708ff258117d104d8fc01ca6bf893b7979d78e8227d2c5757c50824
python-glance-2012.1.2-2.el6.noarch.rpm     MD5: 33f36df9713d3cd46514e6f486357370
SHA-256: 0041a6eb3f4854045aaa0b6310c1d938d1427953f0df4722a8aeffca3c43506a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

872302 - CVE-2012-4573 OpenStack: Glance Authentication bypass for image deletion


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/