oss-sec mailing list archives
CVE request for vulnerability in OpenStack Glance
From: Tristan Cacqueray <tdecacqu () redhat com>
Date: Tue, 17 Nov 2015 22:00:57 +0000
A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Use of MD5 in OpenStack Glance image signature Reporter: Daniel P. Berrange (Red Hat) Products: Glance Affects: =11.0.0 Description: Daniel P. Berrange from Red Hat reported a vulnerability in Glance image signature. Glance computes cryptographic signature using MD5 hash of the image. By crafting a malicious image that produces a MD5 collision, a Glance backend operator may subvert the signature verification process, resulting in a corrupted image. All Glance setups are affected. References: https://launchpad.net/bugs/1516031 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for vulnerability in OpenStack Glance Tristan Cacqueray (Nov 17)
- Re: CVE request for vulnerability in OpenStack Glance cve-assign (Nov 18)
- Re: Re: CVE request for vulnerability in OpenStack Glance Tristan Cacqueray (Nov 18)
- Re: CVE request for vulnerability in OpenStack Glance cve-assign (Nov 18)