(RHSA-2014:1338) Moderate: openstack-glance security and bug fix update

ID RHSA-2014:1338
Type redhat
Reporter RedHat
Modified 2018-06-07T02:47:59


OpenStack Image service (glance) provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services.

It was discovered that the image_size_cap configuration option in glance was not honored. An authenticated user could use this flaw to upload an image to glance and consume all available storage space, resulting in a denial of service. (CVE-2014-5356)

This update also fixes the following bugs:

  • Whenever the 'x-image-meta-store' header was passed to glance-api, the service would check whether the value was a valid store instead of a valid scheme. However, the rest of the store library uses the scheme to identify the store that should be used; this prevented the use of this feature. Glance now verifies that the value of 'x-image-meta-store' is a valid scheme instead of a valid store name. (BZ#1134249)

  • With this update, Image Service (glance) is now dependent on oslo.vmware in order to support the optional VMware store. This hard dependency was created due to the likelihood that the dependencies are already installed and due to the diminutive size of the package. As a result, the user experience is improved by no longer requiring a manual oslo.vmware install. (BZ#1125876)

  • Previously, the process of upgrading from Red Hat Enterprise Linux OpenStack Platform 4 to 5 may have failed. (BZ#1139243)

All openstack-glance users are advised to upgrade to these updated packages, which correct these issues.