CVE-2013-4469

OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when use_cow_images is set to False, does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by transferring an image with a large virtual size that does not contain a large amount of data from Glance. NOTE: this issue is due to an incomplete fix for CVE-2013-2096.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nova	14.04 LTS trusty	Not in release
	13.10 saucy	Fixed 1:2013.2.3-0ubuntu1.2
	13.04 raring	Ignored end of life
	12.10 quantal	Ignored end of life, was pending
	12.04 LTS precise	Fixed 2012.1.3+stable-20130423-e52e6912-0ubuntu1.4
	10.04 LTS lucid	Not in release

Notes

jdstrand

patch for CVE-2013-4463 should fix this saucy needs a no change rebuild for saucy-security

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
nova	Vendor: https://bugzilla.redhat.com/attachment.cgi?id=816275&action=diff Vendor: https://bugzilla.redhat.com/attachment.cgi?id=816276&action=diff Vendor: https://bugzilla.redhat.com/attachment.cgi?id=816277&action=diff Upstream: f6810be Upstream: 3cdfe89 Upstream: 135faa7 Upstream: https://review.openstack.org/54767 Upstream: https://review.openstack.org/54768

References

Related Ubuntu Security Notices (USN)

USN-2247-1
OpenStack Nova vulnerabilities
17 June 2014

Status

Notes

Patch details

References

Related Ubuntu Security Notices (USN)

Other references