CVE-2015-1851
Published: 25 June 2015
OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.
Priority
Medium
Status
| Package | Release | Status |
|---|---|---|
|
cinder Launchpad, Ubuntu, Debian |
Upstream |
Released
(2014.1.5,2014.2.4,2015.1.1)
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was not-affected [1:2014.1.5-0ubuntu1])
|
|
|
Patches: Upstream: https://review.openstack.org/191786 (kilo) |
||
Notes
| Author | Note |
|---|---|
| mdeslaur | not going to be fixed before 14.10 goes EoL |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1851
- http://www.openwall.com/lists/oss-security/2015/06/13/1
- http://lists.openstack.org/pipermail/openstack-announce/2015-June/000367.html
- https://usn.ubuntu.com/usn/usn-2703-1
- NVD
- Launchpad
- Debian