(RHSA-2013:0658) Moderate: openstack-cinder security and enhancement update

The openstack-cinder packages provide OpenStack Volume (code name Cinder),
which provides services to manage and access block storage volumes for use
by virtual machine instances.

A denial of service flaw was found in the Extensible Markup Language (XML)
parser used by Cinder. A remote attacker could use this flaw to send a
specially-crafted request to a Cinder API, causing Cinder to consume an
excessive amount of CPU and memory. (CVE-2013-1664)

A flaw was found in the XML parser used by Cinder. If a remote attacker
sent a specially-crafted request to a Cinder API, it could cause Cinder to
connect to external entities, causing a large amount of system load, or
allow an attacker to read files on the Cinder server that are accessible
to the user running Cinder. (CVE-2013-1665)

This update also adds the following enhancement:

• This update implements a Cinder driver that allows Red Hat Storage to be
  used as a back-end for Cinder volumes. To use this driver,
  “volume_driver = cinder.volume.glusterfs.GlusterfsDriver” and the
  “glusterfs_shares_config” option must be set in “/etc/cinder/cinder.conf”,
  and the RHSA-2013:0657 openstack-nova update must also be installed. Note
  that there is no volume snapshot or clone support when using this driver.
  (BZ#892686)

All users of openstack-cinder are advised to upgrade to these updated
packages, which fix these issues and add this enhancement. After installing
the updated packages, the Cinder running services will be restarted
automatically.