Wednesday, October 23, 2013

[USN-2005-1] Cinder vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJSaDWdAAoJEFHb3FjMVZVzsBoQAIkhh7kVtdynWseLbdQsp8SK
rqzma/a2iJRxe/hIX2UnbGzenf4iUEHzhuKHR3EOnR3nTc1ta3DfMcTTad9jS2GR
zDrenXc4ab/gibwUCcCcU6sMX40oQMFtQYV9JDOfieQevSmYEDgUopOUnqNu0CnQ
+GFXk+FIwffn0EneImkh2mlxJu5qDSMJAeR9GPhOy3J2ZCIzsbApxDt3uz+nW4ip
+x/5FgumMho1O+u2CSNX7RNEOKJ7zJhLmjll1sSd+yWX2uWVxzkgVxJNuiHHiUMc
8tlsemWy9sLIW6xPGEoXXy7DLPF7EbF2s8S/TQx0ia78K9EStPj1sYcu741xDBSn
U6YrA0CYpzVd5P09Z5IJys2/OoiPawu8E6ad0cLzVBdnMS1W6xgAR3xyq6BEmvtp
V3Wa3VYiE3gXwyl+uPAcS2tlTl553EJ1DzoLX8Wyzt6jrQ0CTH9fgH+kHik+tBaM
XUmfmeLIkkf0xhgRlDQU0s08feRLpzWduWc8WjmA2rVkRpLEED949iuGp+D/ZIub
7hkUuS8T2Yz3THR383hJ0pYG9fFaS6IH5tz3auBwfsjtkcCUiuJjcbXIIo6vC72G
VA70YrPWJhYZoWt9ndLIIBEsOGOUQVGKdNYOIpkpqodRL/IjoyrA87pbSQz2zqqP
Kz2OyT4RQfPNt+MvDU3H
=gxjI
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2005-1
October 23, 2013

cinder vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04

Summary:

Cinder could be made to crash or expose sensitive information.

Software Description:
- cinder: OpenStack storage service

Details:

Rongze Zhu discovered that the Cinder LVM driver did not zero out data
when deleting snapshots. This could expose sensitive information to
authenticated users when subsequent servers use the volume. (CVE-2013-4183)

Grant Murphy discovered that Cinder would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Cinder API to
cause a denial of service via resource exhaustion. (CVE-2013-4179,
CVE-2013-4202)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-cinder 1:2013.1.3-0ubuntu2.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2005-1
CVE-2013-4179, CVE-2013-4183, CVE-2013-4202

Package Information:
https://launchpad.net/ubuntu/+source/cinder/1:2013.1.3-0ubuntu2.1

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)