[Openstack-devel] Bug#707600: Bug#707600: CVE-2013-2030: Nova uses insecure keystone middleware tmpdir by default [OSSA 2013-010]

Thomas Goirand thomas at goirand.fr
Fri May 10 03:19:50 UTC 2013


On 05/10/2013 12:40 AM, Luciano Bello wrote:
> Package: nova
> Severity: important
> Tags: security patch
> Justification: user security hole
> 
> Please see:
> http://lists.openstack.org/pipermail/openstack-announce/2013-May/000098.html
> 
> Cheers, luciano

Hi Luciano,

Thanks for submitting this bug.

The version of Nova in Wheezy isn't affected by this problem (simply
because the api-paste.ini doesn't have such "signing_dir" option, and
that this signing feature isn't in OpenStack Essex). So no worries for
the stable release of Debian.

I've tagged the bug accordingly, and my Git repository for Nova Grizzly
(eg: 2013.1.x) is already fixed. Though for the Experimental / SID
version, I'm still debating with FTP masters about the number of binary
packages, so I do not expect it to be fixed soon.

Cheers,

Thomas Goirand (zigo)



More information about the Openstack-devel mailing list