857209 – (CVE-2013-6480) VUL-0: CVE-2013-6480: python-apache-libcloud: doesn't send scrub_data query parameter when destroying a DigitalOcean node

Bug 857209 (CVE-2013-6480) - VUL-0: CVE-2013-6480: python-apache-libcloud: doesn't send scrub_data query parameter when destroying a DigitalOcean node

Summary: VUL-0: CVE-2013-6480: python-apache-libcloud: doesn't send scrub_data query p...

Status:	RESOLVED FIXED

Alias:	CVE-2013-6480

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assignee:	Sascha Peilicke
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-01-02 14:41 UTC by Alexander Bergmann
Modified:	2014-06-20 11:10 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2014-01-02 14:41:56 UTC

CVE-2013-6480

Via Redhat Bugzilla:

DigitalOcean recently changed the default API behavior from scrub to non-scrub when destroying a VM.

Libcloud doesn't explicitly send "scrub_data" query parameter when destroying a node. This means nodes which are destroyed using Libcloud are vulnerable to later customers stealing data contained on them. Only users who are using DigitalOcean driver are known to be affected by this issue.

The issue is said to be fixed in the version 0.13.3.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6480
https://bugzilla.redhat.com/show_bug.cgi?id=1047867

Comment 1 Swamp Workflow Management 2014-01-06 23:00:15 UTC

bugbot adjusting priority

Comment 2 Sascha Peilicke 2014-01-28 14:51:08 UTC

sr#215389

Comment 3 Bernhard Wiedemann 2014-01-28 15:00:17 UTC

This is an autogenerated message for OBS integration:
This bug (857209) was mentioned in
https://build.opensuse.org/request/show/215389 13.1 / python-apache-libcloud

Comment 4 Bernhard Wiedemann 2014-01-28 17:00:19 UTC

This is an autogenerated message for OBS integration:
This bug (857209) was mentioned in
https://build.opensuse.org/request/show/215400 13.1 / python-apache-libcloud

Comment 5 Marcus Meissner 2014-06-20 11:10:41 UTC

was released