[Secure-testing-team] Bug#732022: nova: CVE-2013-7048: Nova live snapshots use an insecure local directory
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 12 16:07:39 UTC 2013
Package: nova
Version: 2013.1.3-2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
So here is one more of the CVE's not checked yet from
security-tracker. Wheezy does not seem affected to this.
the following vulnerability was published for nova.
CVE-2013-7048[0]:
Nova live snapshots use an insecure local directory
Daniel Berrange from Red Hat reported that the directories used to
temporarily store live snapshots on Nova compute nodes were writeable
to all local users. A local attacker with shell access on compute
nodes could therefore read and modify the contents of live snapshots
before those are uploaded to the image service.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7048
http://security-tracker.debian.org/tracker/CVE-2013-7048
[1] https://bugs.launchpad.net/nova/+bug/1227027
Regards,
Salvatore
More information about the Secure-testing-team
mailing list