** Changed in: glance/juno Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1482371
Title: [OSSA 2015-019] Image status can be changed by passing header 'x -image-meta-status' with PUT operation using v1 (CVE-2015-5251) Status in Glance: Fix Released Status in Glance juno series: Fix Released Status in OpenStack Security Advisory: Fix Released Bug description: Using Glance v1, one is able to change the status of an image to any one of the valid statuses by passing the header 'x-image-meta-status' with PUT on /images/<image id>. This bug provides a way for an image to transition states that are otherwise not possible in an image's lifecycle. See http://paste.openstack.org/show/pNL7kvIZUz7cWJQwX64d/ for a reproduction of this behavior on devstack. As shown in the above paste, though one is able to change the status of an active image to queued, uploading data after re-setting the status to queued fails with a 400[1]. Though the purpose of [1] appears to be slightly different, it's fortunately saving us from badly breaking the immutability guarantees of glance images. [1] https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L760-L765 NOTE: Marking this as a security vulnerability for now as users would be able to activate the deactivated images on their own. This probably affects deployments only where v1 is exposed publicly. However, it's probably worth discussing this from a security perspective as well. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1482371/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp