(RHSA-2013:1198) Moderate: openstack-cinder security update

The openstack-cinder packages provide OpenStack Volume (Cinder), which
provides services to manage and access block storage volumes for use by
virtual machine instances.

It was found that the fixes for CVE-2013-1664 and CVE-2013-1665, released
via RHSA-2013:0658, did not fully correct the issues in the Extensible
Markup Language (XML) parser used by Cinder. A remote attacker could use
this flaw to send a specially-crafted request to a Cinder API, causing
Cinder to consume an excessive amount of CPU and memory, or possibly crash.
(CVE-2013-4202)

A bug in the Cinder LVM driver prevented LVM snapshots from being securely
deleted in some cases, potentially leading to information disclosure to
other tenants. (CVE-2013-4183)

The CVE-2013-4202 issue was discovered by Grant Murphy of the Red Hat
Product Security Team.

Additionally, openstack-cinder has been rebased to the latest Grizzly
stable release 2013.1.3. (BZ#993094)

All users of openstack-cinder are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, the Cinder running services will be restarted automatically.