oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2013-1977 - OpenStack keystone.conf insecure file permissions

From: Thierry Carrez <thierry () openstack org>
Date: Tue, 23 Apr 2013 17:05:24 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kurt Seifried wrote:

As reported: https://bugs.launchpad.net/keystone/+bug/1168252

The password configuration of LDAP and admin_token in
keystone.conf should be secret to protect security information: 
[...]


See my comment on the bug... now at
https://bugs.launchpad.net/devstack/+bug/1168252

This is actually not a Keystone issue, it's a packaging/deployment
issue that affects a number of distributions of OpenStack, including
the devstack installer.

Looks like we could issue a "security note" about it, mentioning that
CVE, to raise the profile of this.

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRdqM0AAoJEFB6+JAlsQQjqN4QAKrpIaBdwvMV37G7E8XckhAT
G8kRr44VAp17JQXVrRCapDd14jllpkmWfvZDgkhEbKQqNXjTk+3l/xtuC1uSCmu3
FjzNpGBD5IhIPmJiUvjGsSTSOVtxH+uncPCt0PiKL7BZ80nYer37hI0FNaRwoZ3k
07jcyDY23aJEEQymbb2QofMK2o6v3oUuM6rnpqqQNDHLvpOesQToNN1SAqHECvZL
960r7NlNUqXnpO+qNPdzOixf2672DL3KwrfUDmgxzzRr1Z3RJHk7YFVYd4bO2iVC
wENNR6OjJwyGgoIO/Xy/dk/t1PBR7Rg6l2oDgd4rE/ZiE1gEJSgoBsRrCS4Pcsnm
L0wdesB4r/mzMqSdgNzDKqMR21p5MCwBAZU9lYOH6cGBr/CRM8ecRnSS7gwindm0
j8t9rrnLH7/EoWCJRoWxFDuiCH/9naUd2J1UIDK/Ny9r0Sdq8kfR2KC7wNPi92rY
/68tDD/K8zarogU8TfR5WPlodcWWm2XPgytdeADVDDq71/tof+2BYOS90VTn7c9X
7lHSrfJ3VZZQ+WdFTICa0VKl6WpeYDA43Ja9+XeVsow4Wyo22mQmlGubgt9CXQyu
VTZmbCAbSI0+D59b2B8rjIxsUENVNSqSKViNXS3UeklawuJo3hU29pKFprkRLFE5
aOaRb0o0TVda4sSdybR8
=AamC
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: