[PKG-Openstack-devel] Bug#787654: Bug#787654: Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues

Salvatore Bonaccorso carnil at debian.org
Thu Jun 4 18:09:40 UTC 2015 

Hi Thomas, hi László,

On Thu, Jun 04, 2015 at 09:25:56AM +0200, Thomas Goirand wrote:
> On 06/03/2015 11:19 PM, László Böszörményi (GCS) wrote:
> > Control: fixed -1 2015.1~rc2-1
> > 
> > Hi Salvatore,
> > 
> > On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:
> >> Note that this as least seem partially addressed, namely in the
> >> cassandra part. I have not checked all remeaining occurences.
> >  Yes, the Cassandra part is fixed last year[1]. The fixing path also
> > available[2]. Other parts are not fixed, keep reading.
> > One of the developers, Nikhil Manchanda states[3]:
> > "The impact of this is pretty minimal. From a deployment perspective,
> > datastores are deployed so that file access is not allowed. Coupling
> > that with the fact that SSH access to the Trove instance is also
> > restricted, this vulnerability seems very hard to exploit. However,
> > regardless of these mitigations, we're planning on having a fix for
> > this in Trove during kilo."
> > Later Jeremy Stanley, a member of the OpenStack Vulnerability
> > Management Team states[4]:
> > "Due to the need for access to the instance filesystem and the limited
> > exposure (basically anyone with shell access to a Trove instance is
> > going to be the administrator of the infrastructure on which it's
> > running) along with the fact that it's only slated to be fixed in the
> > master branch for inclusion in the upcoming Kilo release, the VMT will
> > not be publishing a security advisory nor requesting a CVE for this
> > bug."
> > 
> > Then it was reviewed and merged to master back on 21st of January[5].
> > Thus the fix is part of 2015.1.0rc2 which was tagged on 23rd of
> > April[6] and was uploaded to Sid on 29th of April[7]. Marking the bug
> > accordingly.
> > 
> > Regards,
> > Laszlo/GCS
> 
> FWIW, I agree with Jeremy Stanley view. I don't see how one would
> exploit the issue, if there's one at all.
> 
> I see that the issue is marked as very low in the tracker, I agree with
> that. I'm even tempted to tag the Debian bug with +wontfix (note: the
> attached patch in launchpad only fixes the issue for Cassandra, and
> doesn't even apply on top of Icehouse (ie: 2014.1.3) in Jessie).

Yes, I agree that the severity is rather low (we marked the issue as
well as no-dsa, btw). I think we can just reevaluate later kilo
releases if upstream has fixed all the occurences for CVE-2015-3156
and don't need an extraordinary/immediate action on this bug but just
follow when upstream fixes them.

Would you concur with this?

Regards,
Salvatore

More information about the Openstack-devel mailing list