[PKG-Openstack-devel] Bug#787654: Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues
László Böszörményi (GCS)
gcs at debian.org
Wed Jun 3 21:19:37 UTC 2015
Control: fixed -1 2015.1~rc2-1
Hi Salvatore,
On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:
> Note that this as least seem partially addressed, namely in the
> cassandra part. I have not checked all remeaining occurences.
Yes, the Cassandra part is fixed last year[1]. The fixing path also
available[2]. Other parts are not fixed, keep reading.
One of the developers, Nikhil Manchanda states[3]:
"The impact of this is pretty minimal. From a deployment perspective,
datastores are deployed so that file access is not allowed. Coupling
that with the fact that SSH access to the Trove instance is also
restricted, this vulnerability seems very hard to exploit. However,
regardless of these mitigations, we're planning on having a fix for
this in Trove during kilo."
Later Jeremy Stanley, a member of the OpenStack Vulnerability
Management Team states[4]:
"Due to the need for access to the instance filesystem and the limited
exposure (basically anyone with shell access to a Trove instance is
going to be the administrator of the infrastructure on which it's
running) along with the fact that it's only slated to be fixed in the
master branch for inclusion in the upcoming Kilo release, the VMT will
not be publishing a security advisory nor requesting a CVE for this
bug."
Then it was reviewed and merged to master back on 21st of January[5].
Thus the fix is part of 2015.1.0rc2 which was tagged on 23rd of
April[6] and was uploaded to Sid on 29th of April[7]. Marking the bug
accordingly.
Regards,
Laszlo/GCS
[1] https://git.openstack.org/cgit/openstack/trove/patch/?id=61774984aa2bacfe89867fc39a402a6a4cfb8f33
[2] https://review.openstack.org/#/c/138719/
[3] https://bugs.launchpad.net/trove/+bug/1398195/comments/7
[4] https://bugs.launchpad.net/trove/+bug/1398195/comments/8
[5] https://git.openstack.org/cgit/openstack/trove/commit/?id=61774984aa2bacfe89867fc39a402a6a4cfb8f33
[6] https://git.openstack.org/cgit/openstack/trove/tag/?id=2015.1.0rc2
[7] https://packages.qa.debian.org/o/openstack-trove/news/20150429T164344Z.html
More information about the Openstack-devel
mailing list