[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE-2013-1977  - OpenStack keystone.conf insecure file permissions
From:       Thierry Carrez <thierry () openstack ! org>
Date:       2013-04-23 15:05:24
Message-ID: 5176A334.3030608 () openstack ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kurt Seifried wrote:
> As reported: https://bugs.launchpad.net/keystone/+bug/1168252
> 
> The password configuration of LDAP and admin_token in
> keystone.conf should be secret to protect security information: 
> [...]

See my comment on the bug... now at
https://bugs.launchpad.net/devstack/+bug/1168252

This is actually not a Keystone issue, it's a packaging/deployment
issue that affects a number of distributions of OpenStack, including
the devstack installer.

Looks like we could issue a "security note" about it, mentioning that
CVE, to raise the profile of this.

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRdqM0AAoJEFB6+JAlsQQjqN4QAKrpIaBdwvMV37G7E8XckhAT
G8kRr44VAp17JQXVrRCapDd14jllpkmWfvZDgkhEbKQqNXjTk+3l/xtuC1uSCmu3
FjzNpGBD5IhIPmJiUvjGsSTSOVtxH+uncPCt0PiKL7BZ80nYer37hI0FNaRwoZ3k
07jcyDY23aJEEQymbb2QofMK2o6v3oUuM6rnpqqQNDHLvpOesQToNN1SAqHECvZL
960r7NlNUqXnpO+qNPdzOixf2672DL3KwrfUDmgxzzRr1Z3RJHk7YFVYd4bO2iVC
wENNR6OjJwyGgoIO/Xy/dk/t1PBR7Rg6l2oDgd4rE/ZiE1gEJSgoBsRrCS4Pcsnm
L0wdesB4r/mzMqSdgNzDKqMR21p5MCwBAZU9lYOH6cGBr/CRM8ecRnSS7gwindm0
j8t9rrnLH7/EoWCJRoWxFDuiCH/9naUd2J1UIDK/Ny9r0Sdq8kfR2KC7wNPi92rY
/68tDD/K8zarogU8TfR5WPlodcWWm2XPgytdeADVDDq71/tof+2BYOS90VTn7c9X
7lHSrfJ3VZZQ+WdFTICa0VKl6WpeYDA43Ja9+XeVsow4Wyo22mQmlGubgt9CXQyu
VTZmbCAbSI0+D59b2B8rjIxsUENVNSqSKViNXS3UeklawuJo3hU29pKFprkRLFE5
aOaRb0o0TVda4sSdybR8
=AamC
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]