Hi. So, it seems that we don't have a Folsom patch yet? Is anyone working on that? I also propose the following advisory. What do people think?
*****
OpenStack Security Advisory: 2013-XXX
CVE: Not yet assigned
Date: May 14, 2013
Title: Nova fails to verify image virtual size
Reporter: Loganathan Parthipan
Products: Nova
Affects: All versions
Loganathan Parthipan publicly reported a vulnerability in Nova. Nova did not
implement checking for the virtual size of a qcow2 image used as ephemeral
storage for instances. It is therefore possible for a user to create an image
which has a large virtual size, but little data. Once the instance is created,
the user can then proceed to fill the virtual disk, and consume all available
disk on the host node filesystem.
Hi. So, it seems that we don't have a Folsom patch yet? Is anyone working on that? I also propose the following advisory. What do people think?
*****
OpenStack Security Advisory: 2013-XXX
CVE: Not yet assigned
Date: May 14, 2013
Title: Nova fails to verify image virtual size
Reporter: Loganathan Parthipan
Products: Nova
Affects: All versions
Loganathan Parthipan publicly reported a vulnerability in Nova. Nova did not
implement checking for the virtual size of a qcow2 image used as ephemeral
storage for instances. It is therefore possible for a user to create an image
which has a large virtual size, but little data. Once the instance is created,
the user can then proceed to fill the virtual disk, and consume all available
disk on the host node filesystem.
Havana (development branch) fix: /review. openstack. org/28717
https:/
Grizzly fix: /review. openstack. org/28901
https:/
Folsom fix:
No patch yet
References: /bugs.launchpad .net/keystone/ +bug/1177830
https:/