[PKG-Openstack-devel] Bug#787654: Bug#787654: Bug#787654: Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage issues
László Böszörményi (GCS)
gcs at debian.org
Thu Jun 4 19:18:33 UTC 2015
On Thu, Jun 4, 2015 at 8:09 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:
> On Thu, Jun 04, 2015 at 09:25:56AM +0200, Thomas Goirand wrote:
>> On 06/03/2015 11:19 PM, László Böszörményi (GCS) wrote:
>> > Control: fixed -1 2015.1~rc2-1
The version set for being vulnerable is wrong by the way, but I don't
know which was the first version that contains these bugs.
>> > On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:
>> >> Note that this as least seem partially addressed, namely in the
>> >> cassandra part. I have not checked all remeaining occurences.
[...]
> Yes, I agree that the severity is rather low (we marked the issue as
> well as no-dsa, btw). I think we can just reevaluate later kilo
> releases if upstream has fixed all the occurences for CVE-2015-3156
> and don't need an extraordinary/immediate action on this bug but just
> follow when upstream fixes them.
>
> Would you concur with this?
If you ask me, I have doubts upstream will take further steps with
this CVE. Their vulnerability team said they don't ask for a CVE
number as the impact is very low if even possible to utilize it. As
the 'bugs' are found last December and only the Cassandra part is
fixed for six months and that's already part of Stretch I say this bug
can be closed as fixed after setting the correct 'found' version.
Cheers,
Laszlo/GCS
More information about the Openstack-devel
mailing list