Created by Yolanda Robla and last modified
Get this branch:
bzr branch lp:~yolanda.robla/glance/precise-security
Only Yolanda Robla can upload to this branch. If you are Yolanda Robla please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Yolanda Robla

Recent revisions

56. By Yolanda Robla

debian/patches/CVE-2012-4573.patch [efd7e75]

55. By Yolanda Robla

refreshed patches

54. By Yolanda Robla

* Resynchronize with stable/essex (74b067df) (LP: #1089488):
  - [74b067d] v1 api returns location as header for cached images LP: 1135541
  - [37d4d96] glance image-download can display backend Swift password
    LP: 1098962
  - [efd7e75] Non-admin users can cause public glance images to be deleted
    from the backend storage repository (LP: #1065187)
  - [e6be061] Jenkins jobs fail because of incompatibility between sqlalchemy-
    migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
* Dropped patches, superseeded by snapshot:
  - debian/patches/CVE-2013-1840.patch [74b067d]
  - debian/patches/CVE-2013-0212.patch [37d4d96]
  - debian/patches/CVE-2012-4573.patch [efd7e75, e6be061]

53. By Jamie Strandboge

* SECURITY UPDATE: fix information disclosure via Glance v1 API
  - debian/patches/CVE-2013-1840.patch: adjust api/middleware/cache.py to
    not show image_meta['location']
  - CVE-2013-1840
  - LP: #1135541

52. By Jamie Strandboge

* SECURITY UPDATE: information disclosure via swift error messages
  - debian/patches/CVE-2013-0212.patch: adjust glance/store/swift.py to
    mot show URLs and credentials in error messages and log output
  - CVE-2013-0212

51. By Jamie Strandboge

* SECURITY UPDATE: deletion of arbitrary public and shared images via
  authenticated user
  - debian/patches/CVE-2012-4573.patch: adjust glance/api/v1/images.py to
    ensure image is owned by user before delayed_deletion
  - CVE-2012-4573

50. By Adam Gandelman

[ Adam Gandelman ]
* debian/patches/disable_db_table_auto_create.patch: Disable auto-creation
  of database schema at service start, inspect for consistenty and advise
  running manual migrations instead.
* debian/patches/fix_migration_012_foreign_keys.patch: Fix a migration issue
  around missing FKs. Cherry-picked from upstream. Can be dropped with
  first stable update.
* debian/patches/convert_properties_to_uuid.patch: Fixes migration 012 to
  also convert kernel_id and ramdisk_ids to UUID. Cherry picked from upstream.
  Can be dropped with first stable update (LP: #975651)
* debian/glance-common.postinst: Clean up, fix purging issue due to poor
  us of conditionals
* debian/glance-registry.postinst: Ensure new database is version_controlled
  before first call of db_sync.

[ Chuck Short ]
* debian/control: Fix upgrades from oneiric to precise. (LP: #974592)

49. By Chuck Short

New upstream release.

48. By Adam Gandelman

* New upstream release.
* debian/control: Add sqlite3 as a Build-Depends (for test suite)

47. By Chuck Short

* New upstream release.
* debian/rules: Fail build if testsuite fails.
* debian/patches/disable-swift-tests.patch: Disable swift tests that
  require a swift server setup.
* debian/patches/disable-network-for-docs.patch: Disable network for
  building docs.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.