oss-sec mailing list archives
Re: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1851)
From: Tristan Cacqueray <tdecacqu () redhat com>
Date: Wed, 17 Jun 2015 06:43:00 -0700
Hi Salvatore, On 06/16/2015 09:33 PM, Salvatore Bonaccorso wrote:
Could you clearify if this CVE assignment is correct?
OSSA 2015-011 assigned the wrong CVE and it should have included CVE-2015-1851 instead. An ERRATA will be issued soon.
I noticed that Red Hat Bugzilla has https://bugzilla.redhat.com/show_bug.cgi?id=1231816 (CVE-2015-1850) for the nova issue and similarly https://bugzilla.redhat.com/show_bug.cgi?id=1231817 (CVE-2015-1851) for the cinder issue. Is this correct?
This is correct. Note that while a CVE has been assigned for the Nova part, the bug has still not been reproduced there, and while there is no patch, Nova has been left out of this OSSA.
Regards and thanks in advance, Salvatore
Thanks for bringing that up! -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1850) Tristan Cacqueray (Jun 16)
- Re: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1850) Salvatore Bonaccorso (Jun 16)
- Re: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1851) Tristan Cacqueray (Jun 17)
- Re: [OSSA 2015-011] Cinder host file disclosure through qcow2 backing file (CVE-2015-1850) Salvatore Bonaccorso (Jun 16)