*** This bug is a security vulnerability ***
Public security bug reported:
Glance accepts 'X-Openstack-Request-ID' header and includes the value in
log-files. The length of the Request ID is limited only by
max_header_line parameter that defaults to 16384. This opens possibility
to flood the logs.
Public as this vulnerability was already discussed today on Glance
weekly meeting.
** Affects: glance
Importance: Critical
Assignee: Erno Kuvaja (jokke)
Status: In Progress
** Tags: log
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1482301
Title:
'X-Openstack-Request-ID' leght limited only by header size
Status in Glance:
In Progress
Bug description:
Glance accepts 'X-Openstack-Request-ID' header and includes the value
in log-files. The length of the Request ID is limited only by
max_header_line parameter that defaults to 16384. This opens
possibility to flood the logs.
Public as this vulnerability was already discussed today on Glance
weekly meeting.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1482301/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
