lp:~yolanda.robla/glance/precise-security

Created by Yolanda Robla and last modified
Get this branch:
bzr branch lp:~yolanda.robla/glance/precise-security
Only Yolanda Robla can upload to this branch. If you are Yolanda Robla please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Yolanda Robla
Project:
Glance
Status:
Development

Recent revisions

56. By Yolanda Robla

debian/patches/CVE-2012-4573.patch [efd7e75]

55. By Yolanda Robla

refreshed patches

54. By Yolanda Robla

* Resynchronize with stable/essex (74b067df) (LP: #1089488):
  - [74b067d] v1 api returns location as header for cached images LP: 1135541
  - [37d4d96] glance image-download can display backend Swift password
    LP: 1098962
  - [efd7e75] Non-admin users can cause public glance images to be deleted
    from the backend storage repository (LP: #1065187)
  - [e6be061] Jenkins jobs fail because of incompatibility between sqlalchemy-
    migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
* Dropped patches, superseeded by snapshot:
  - debian/patches/CVE-2013-1840.patch [74b067d]
  - debian/patches/CVE-2013-0212.patch [37d4d96]
  - debian/patches/CVE-2012-4573.patch [efd7e75, e6be061]

53. By Jamie Strandboge

* SECURITY UPDATE: fix information disclosure via Glance v1 API
  - debian/patches/CVE-2013-1840.patch: adjust api/middleware/cache.py to
    not show image_meta['location']
  - CVE-2013-1840
  - LP: #1135541

52. By Jamie Strandboge

* SECURITY UPDATE: information disclosure via swift error messages
  - debian/patches/CVE-2013-0212.patch: adjust glance/store/swift.py to
    mot show URLs and credentials in error messages and log output
  - CVE-2013-0212

51. By Jamie Strandboge

* SECURITY UPDATE: deletion of arbitrary public and shared images via
  authenticated user
  - debian/patches/CVE-2012-4573.patch: adjust glance/api/v1/images.py to
    ensure image is owned by user before delayed_deletion
  - CVE-2012-4573

50. By Adam Gandelman

[ Adam Gandelman ]
* debian/patches/disable_db_table_auto_create.patch: Disable auto-creation
  of database schema at service start, inspect for consistenty and advise
  running manual migrations instead.
* debian/patches/fix_migration_012_foreign_keys.patch: Fix a migration issue
  around missing FKs. Cherry-picked from upstream. Can be dropped with
  first stable update.
* debian/patches/convert_properties_to_uuid.patch: Fixes migration 012 to
  also convert kernel_id and ramdisk_ids to UUID. Cherry picked from upstream.
  Can be dropped with first stable update (LP: #975651)
* debian/glance-common.postinst: Clean up, fix purging issue due to poor
  us of conditionals
* debian/glance-registry.postinst: Ensure new database is version_controlled
  before first call of db_sync.

[ Chuck Short ]
* debian/control: Fix upgrades from oneiric to precise. (LP: #974592)

49. By Chuck Short

New upstream release.

48. By Adam Gandelman

* New upstream release.
* debian/control: Add sqlite3 as a Build-Depends (for test suite)

47. By Chuck Short

* New upstream release.
* debian/rules: Fail build if testsuite fails.
* debian/patches/disable-swift-tests.patch: Disable swift tests that
  require a swift server setup.
* debian/patches/disable-network-for-docs.patch: Disable network for
  building docs.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.

Subscribers