Browse Source

Adds OSSA-2016-012 (CVE-2015-5162)

Change-Id: I9a85f50f0183d9303ebb73376801ae36917c71e1
Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>
Jeremy Stanley 2 years ago
parent
commit
5cfb949aef
1 changed files with 58 additions and 0 deletions
  1. 58
    0
      ossa/OSSA-2016-012.yaml

+ 58
- 0
ossa/OSSA-2016-012.yaml View File

@@ -0,0 +1,58 @@
1
+date: 2016-10-06
2
+
3
+id: OSSA-2016-012
4
+
5
+title: Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova
6
+
7
+description: >
8
+  Richard W.M. Jones of Red Hat reported a vulnerability that
9
+  affects OpenStack Cinder, Glance and Nova. By providing a
10
+  maliciously crafted disk image an attacker can consume
11
+  considerable amounts of RAM and CPU time resulting in a denial of
12
+  service via resource exhaustion. Any project which makes calls to
13
+  qemu-img without appropriate ulimit restrictions in place is
14
+  affected by this flaw.
15
+
16
+affected-products:
17
+  - product: cinder
18
+    version: "<=7.0.2, >=8.0.0 <=8.1.1"
19
+  - product: glance
20
+    version: "<=11.0.1, ==12.0.0"
21
+  - product: nova
22
+    version: "<=12.0.4, ==13.0.0"
23
+
24
+vulnerabilities:
25
+  - cve-id: CVE-2015-5162
26
+
27
+reporters:
28
+  - name: Richard W.M. Jones
29
+    affiliation: Red Hat
30
+    reported:
31
+      - CVE-2015-5162
32
+
33
+issues:
34
+  links:
35
+    - https://launchpad.net/bugs/1449062
36
+
37
+reviews:
38
+  ocata:
39
+    - https://review.openstack.org/375099 (cinder)
40
+    - https://review.openstack.org/375526 (glance)
41
+  newton:
42
+    - https://review.openstack.org/375102 (cinder)
43
+    - https://review.openstack.org/377734 (glance)
44
+    - https://review.openstack.org/307663 (nova)
45
+  mitaka:
46
+    - https://review.openstack.org/375625 (cinder)
47
+    - https://review.openstack.org/377736 (glance)
48
+    - https://review.openstack.org/326327 (nova)
49
+  liberty:
50
+    - https://review.openstack.org/382573 (cinder)
51
+    - https://review.openstack.org/378012 (glance)
52
+    - https://review.openstack.org/327624 (nova)
53
+
54
+notes:
55
+  - >
56
+    Separate Ocata patches are listed for Cinder and Glance, as they
57
+    were fixed during the Newton release freeze after it branched
58
+    from master.

Loading…
Cancel
Save