CVE-2015-5251

Publication date 22 September 2015

Last updated 24 July 2024

OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
glance	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Not affected
	15.04 vivid	Not affected
	14.04 LTS trusty	Fixed 1:2014.1.5-0ubuntu1.1
	12.04 LTS precise	Ignored

Notes

tyhicks

12.04 likely needs the ACTIVE_IMMUTABLE check, as well.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
glance	Upstream: https://review.openstack.org/226338 Upstream: https://review.openstack.org/226337 Upstream: https://review.openstack.org/226336 Vendor: vendor: http://ftp.redhat.com/pub/redhat/linux/enterprise/7Server/en/RHOS/SRPMS/openstack-glance-2014.1.5-5.el7ost.src.rpm

References

Related Ubuntu Security Notices (USN)