ReleaseNotes/2011.3.1

= Release Notes, 2011.3.1 =

The 2011.3.1 release is a Diablo bugfix update for Nova and Glance.

The bugfixes contained in this release were backported from the development branches into a stable branch. The release is intended to be a relatively risk free update with no intentional regressions or API changes.

Bugs Fixed
In total, 90 launchpad bugs are fixed by this update.


 * Nova: List of Nova bugs fixed in the 2011.3.1 release
 * Glance: List of Glance bugs fixed in the 2011.3.1 release

Nova

 * Image access control is available
 * Incorrect secret key causes user details to be revealed (CVE-2011-4076)
 * Security groups are not sanity checked for incorrect data
 * Path Traversal possible when downloading an image (CVE-2011-4596)
 * Potential directory traversal in _untarzip_image (CVE-2011-4596)
 * project_id could be overwritten to any value by URI value (CVE-2012-0030)

Glance

 * Location information still showing in calls to HEAD|GET /images/
 * Glance reports location (with credentials) in create return json
 * Swift upload via Glance logs the password it's using

Nova

 * Admin password in clear text in nova-compute log file