PublicDateAtUSN: 2015-06-25
Candidate: CVE-2015-1851
PublicDate: 2015-06-25 16:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1851
 http://www.openwall.com/lists/oss-security/2015/06/13/1
 http://lists.openstack.org/pipermail/openstack-announce/2015-June/000367.html
 https://ubuntu.com/security/notices/USN-2703-1
Description:
 OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4
 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated
 users to read arbitrary files via a crafted qcow2 signature in an image to
 the upload-to-image command.
Ubuntu-Description:
Notes:
 mdeslaur> not going to be fixed before 14.10 goes EoL
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=1231817
 https://bugs.launchpad.net/cinder/+bug/1415087
Priority: medium
Discovered-by: Bastian Blank
Assigned-to: mdeslaur
CVSS: 

Patches_cinder:
 upstream: https://review.openstack.org/191786 (kilo)
upstream_cinder: released (2014.1.5,2014.2.4,2015.1.1)
precise_cinder: DNE
trusty_cinder: not-affected (1:2014.1.5-0ubuntu1)
trusty/esm_cinder: DNE (trusty was not-affected [1:2014.1.5-0ubuntu1])
utopic_cinder: ignored (reached end-of-life)
vivid_cinder: released (1:2015.1.0-0ubuntu1.1)
devel_cinder: not-affected (2:7.0.0~b1-0ubuntu1)