Version 2:18.0.0-3 of glance is marked for autoremoval from testing on Mon 11 Nov 2019. It depends (transitively) on libmatheval, uwsgi, affected by #885212, #941432. You should try to prevent the removal by fixing these RC bugs.
CVE-2015-5162: The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image.
CVE-2016-0757: OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote authenticated users to change image status and upload new image data by removing the last location of an image.
CVE-2017-7200: An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.
Please fix them.
Standards version of the package is outdated.
wishlist
The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.4.1 instead of
4.3.0).
![[bug history graph]](https://qa.debian.org/data/bts/graphs/g/glance.png){kind=link}