lp://staging/ubuntu/quantal-updates/glance

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #1235378: [OSSA 2013-027] 'image_download' role in v2 causes traceback

Undecided

Fix Committed

Link a bug report

Related blueprints

68. By Jamie Strandboge on 2013-10-22

* SECURITY UPDATE: enforce 'download_image' policy in cache middleware
  - debian/patches/CVE-2013-4428.patch: fix confusing behavior when using
    download_image. Ie, return 403 rather than empty content (LP: #1235378)
  - CVE-2013-4428

67. By Adam Gandelman on 2013-04-25

[ Adam Gandelman ]
* Dropped patches, applied upstream:
  - debian/patches/CVE-2013-1840.patch: [dd849a9]
* Resynchronize with stable/folsom (dbd3d3d7) (LP: #1179707):
  - [cfaa2d8] repeated deletion on image member does not result in 404
    LP: 1157427
  - [5b4d21d] glance-cache-prefetcher explodes when no auth parameters were
    configured LP: 1157765
  - [dd849a9] v1 api returns location as header for cached images LP: 1135541
  - [04f88c8] 500 error returned when an Admin tries to delete membership of
    image from a non-existent /invalid tenant LP: 1060868
  - [5597697] Fragile Test:
    glance.tests.functional.test_bin_glance:TestBinGlance.test_update_copying_from
    LP: 1107768
  - [5183360] filesystem store does not clean up after premature termination
    of image upload LP: 1104924
  - [03dc862] mismatched image size or checksum leaves behind dangling image
    data LP: 1122299
  - [12d28c3] UserWarning on deprecation of legacy glance client inappropriate
    for internal usage LP: 1129445
  - [afe6166] 'glance-cache-manage list-cached' does not show 'last accessed'
    and 'last modified' fields in human-readable format' LP: 1102334
  - [ee13560] Fix broken JSON schemas in v2 tests

[ Chuck Short ]
* debian/patches/disable-swift-tests.patch: Refreshed.

66. By James Page on 2013-03-22

* Resync with latest security update.
* SECURITY UPDATE: fix information disclosure via Glance v1 API
  - debian/patches/CVE-2013-1840.patch: adjust api/middleware/cache.py to
    not show image_meta['location']
  - CVE-2013-1840

65. By Jamie Strandboge on 2013-03-13

* SECURITY UPDATE: fix information disclosure via Glance v1 API
  - debian/patches/CVE-2013-1840.patch: adjust api/middleware/cache.py to
    not show image_meta['location']
  - CVE-2013-1840

64. By Jamie Strandboge on 2013-01-29

* SECURITY UPDATE: information disclosure via swift error messages
  - debian/patches/CVE-2013-0212.patch: adjust glance/store/swift.py to
    mot show URLs and credentials in error messages and log output
  - CVE-2013-0212

63. By Jamie Strandboge on 2012-11-09

* SECURITY UPDATE: deletion of arbitrary public and shared images via
  authenticated user
  - debian/patches/CVE-2012-4573b.patch: previous patch was incomplete.
    Make corresponding change to glance/api/v2/images.py
  - CVE-2012-4573
* debian/control: add Build-Depends-Indep on python-chardet. This is needed
  by python-requests to do encoding detection which otherwise fails in the
  new tests introduced in CVE-2012-4573b.patch.

62. By Jamie Strandboge on 2012-11-08

* SECURITY UPDATE: deletion of arbitrary public and shared images via
  authenticated user
  - debian/patches/CVE-2012-4573.patch: adjust glance/api/v1/images.py to
    ensure image is owned by user before delayed_deletion
  - CVE-2012-4573
* debian/patches/fakeauth-not-always-admin.patch: add required testsuite
  patch in support of the testsuite changes in CVE-2012-4573.patch

61. By James Page on 2012-10-12

* Glance should suggest python-ceph, not ceph-common (LP: #1065903):
  - debian/control: glance Suggests: ceph-common -> python-ceph.

60. By Chuck Short on 2012-09-27

* debian/control: Clean-up python depends. Thanks to Sam Morrison.
  (LP: #1053790)
* New upstream release.

59. By Chuck Short on 2012-09-26

New usptream release.