Adds OSSA-2015-002

Related-Bug: #1408663
Change-Id: Id36443b17f18a0f0cbcfd731c4fd50d8f2ffd9d1

ossa/OSSA-2015-002.yaml

@@ -0,0 +1,61 @@
+date: 2015-01-15
+
+id: OSSA-2015-002
+
+title: 'Glance v2 API unrestricted path traversal through filesystem:// scheme'
+
+description: 'Jin Liu from EMC reported that path traversal vulnerabilities in Glance
+    were not fully patched in OSSA 2014-041. By setting a malicious image
+    location to a filesystem:// scheme an authenticated user can still
+    download or delete any file on the Glance server for which the Glance
+    process user has access to. Only setups using the Glance V2 API are
+    affected by this flaw.'
+
+errata: 'When the original advisory was published a CVE number was not assigned.
+    CVE-2015-1195 can now be used to track this vulnerability.'
+
+affected-products:
+
+  - product: glance
+    version: up to 2014.1.3 and 2014.2 versions up to 2014.2.1
+
+vulnerabilities:
+
+  - cve-id: CVE-2015-1195
+
+reporters:
+
+  - name: 'Jin Liu'
+    affiliation: EMC
+    reported:
+      - CVE-2015-1195
+
+issues:
+
+  links:
+    - https://launchpad.net/bugs/1408663
+
+  type: launchpad
+
+reviews:
+
+  kilo:
+    - https://review.openstack.org/145640
+
+  juno:
+    - https://review.openstack.org/145916
+
+  icehouse:
+    - https://review.openstack.org/145974
+
+  type: gerrit
+
+notes:
+  - 'This fix was included in the kilo-1 development milestone and will be included
+     in future 2014.2.2 (juno) and 2014.1.4 (icehouse) releases.'
+  - 'The OpenStack VMT recommends revoking all credentials stored in files
+     accessible by Glance as a precautionary measure.'
+
+errata_history:
+  - 2015-01-19 - Errata 1
+  - 2015-01-15 - Original Version