Revision as of 16:32, 19 January 2012

Release Notes, 2011.3.1

The 2011.3.1 release is a Diablo bugfix update for Nova and Glance.

The bugfixes contained in this release were backported from the development branches into a stable branch. The release is intended to be a relatively risk free update with no intentional regressions or API changes.

<<TableOfContents()>>

Bugs Fixed

In total, 90 launchpad bugs are fixed by this update.

• Nova: List of Nova bugs fixed in the 2011.3.1 release
• Glance: List of Glance bugs fixed in the 2011.3.1 release

Resolved Security Issues

Nova

• Image access control is available
• Incorrect secret key causes user details to be revealed (CVE-2011-4076)
• Security groups are not sanity checked for incorrect data
• Path Traversal possible when downloading an image (CVE-2011-4596)
• Potential directory traversal in _untarzip_image (CVE-2011-4596)
• project_id could be overwritten to any value by URI value (CVE-2012-0030)

Glance

• Location information still showing in calls to HEAD|GET /images/<ID>
• Glance reports location (with credentials) in create return json
• Swift upload via Glance logs the password it's using

Known Issues and Limitations

Nova

• Admin password in clear text in nova-compute log file

Glance

• Swift uploads through Glance using ridiculously small chunks