[PKG-Openstack-devel] Bug#900176: Bug#900176: tripleo-heat-templates: CVE-2017-12155
Thomas Goirand
thomas at goirand.fr
Mon May 28 13:41:28 BST 2018
On 05/27/2018 08:29 AM, Salvatore Bonaccorso wrote:
> Source: tripleo-heat-templates
> Version: 5.2.0-1
> Severity: grave
> Tags: patch security upstream
> Forwarded: https://bugs.launchpad.net/tripleo/+bug/1720787
>
> Hi,
>
> The following vulnerability was published for tripleo-heat-templates.
>
> CVE-2017-12155[0]:
> | A resource-permission flaw was found in the
> | openstack-tripleo-heat-templates package where
> | ceph.client.openstack.keyring is created as world-readable. A local
> | attacker with access to the key could read or modify data on Ceph
> | cluster pools for OpenStack as though the attacker were the OpenStack
> | service, thus potentially reading or modifying data in an OpenStack
> | Block Storage volume.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-12155
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12155
> [1] https://bugs.launchpad.net/tripleo/+bug/1720787
>
> Regards,
> Salvatore
Hi Salvatore,
I don't think anyone can even use tripleo-heat-templates in Debian, as
we don't have a working TripleO anyway. I just asked for its removal
form Sid. Therefore, I don't really feel like spending the time on
fixing this will be remotely useful.
In this kind of situation, shall we simply close the bug?
Cheers.
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list