Bugzilla – Bug 956038
VUL-1: CVE-2015-8234: openstack-glance: Use of MD5 in OpenStack Glance image signature
Last modified: 2016-09-01 14:21:33 UTC
CVE-2015-8234 Title: Use of MD5 in OpenStack Glance image signature Reporter: Daniel P. Berrange (Red Hat) Products: Glance Affects: =11.0.0 Description: Daniel P. Berrange from Red Hat reported a vulnerability in Glance image signature. Glance computes cryptographic signature using MD5 hash of the image. By crafting a malicious image that produces a MD5 collision, a Glance backend operator may subvert the signature verification process, resulting in a corrupted image. All Glance setups are affected. References: https://launchpad.net/bugs/1516031 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8234 http://seclists.org/oss-sec/2015/q4/323 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8234.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8234
bugbot adjusting priority
This seems to only impact Liberty (ie, Cloud 6). However, there's no upstream fix planned for this in Liberty, only in the next version. Also, it really matters only if there's a malicious glance backend operator. I'm not really sure how this could happen in the context of our product.
let us wait for upstream fix then.