Bug 843755 (CVE-2013-4183) - VUL-0: CVE-2013-4183: openstack-cinder: Cinder LVM volume driver does not support secure deletion
Summary: VUL-0: CVE-2013-4183: openstack-cinder: Cinder LVM volume driver does not sup...
Status: RESOLVED FIXED
Alias: CVE-2013-4183
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Sascha Peilicke
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-02 18:35 UTC by Marcus Meissner
Modified: 2013-11-28 13:02 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-02 18:35:05 UTC 
CVE-2013-4183

The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1
through 2013.1.2 does not properly clear data when deleting a snapshot, which
allows local users to obtain sensitive information via unspecified vectors.

References:
http://comments.gmane.org/gmane.comp.security.oss.general/10806
https://bugs.launchpad.net/cinder/+bug/1198185
https://rhn.redhat.com/errata/RHSA-2013-1198.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4183
https://bugzilla.redhat.com/show_bug.cgi?id=994355
Comment 1 Swamp Workflow Management 2013-10-02 22:00:46 UTC 
bugbot adjusting priority
Comment 2 Vincent Untz 2013-11-21 14:46:02 UTC 
Sascha: here are the latest security issues we have.
Comment 3 Vincent Untz 2013-11-21 14:49:32 UTC 
We have a newer version than 2013.1.2, so I guess we're fine?
Comment 4 Sascha Peilicke 2013-11-28 13:02:55 UTC 
Yes. For the record this fix was already present in Cloud-2-GA with openstack-cinder-2013.1.4.a3.g74a2154.