Bug 807855 - VUL-1: CVE-2013-0266: openstack-cinder: information leak / credentials exposure via cinder.conf
VUL-1: CVE-2013-0266: openstack-cinder: information leak / credentials exposu...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Vincent Untz
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-03-06 17:41 UTC by Matthias Weckbecker
Modified: 2013-09-25 09:03 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2013-03-06 17:41:49 UTC
From [1]:

 "Prior to this commit, the puppetlabs-cinder module applied the mode
  0644 to the File[$::cinder::params::cinder_conf] resource which
  were too permissive. This commit explicitly sets the mode to 0600."

[1] https://github.com/puppetlabs/puppetlabs-cinder/commit/7da79
Comment 1 Matthias Weckbecker 2013-03-06 17:43:42 UTC
I think this does not seem to be affecting openstack, but more puppet /
puppetlabs-cinder. Do we use that / something similar at SUSE Cloud?

CC'ing vdziewiecki.
Comment 4 Vincent Untz 2013-03-07 08:37:19 UTC
1) We don't have cinder in SUSE Cloud 1.0; the only place where we ship it is openSUSE 12.3.

2) This is indeed a permission issue from the puppet scripts. Our packages have the right permissions.

3) However, I see that the chef cookbook we'll likely use in 2.0 has this issue: https://github.com/att-cloud/cookbook-cinder/blob/master/recipes/api.rb#L81
In general, we should review the cookbooks again for this kind of mistakes. I've created a trello card for this: https://trello.com/c/mEWdMcSr

Not sure if we want to keep the bug
Comment 5 Matthias Weckbecker 2013-03-11 13:35:36 UTC
Let's keep it open until 3 is verified to be OK. Please keep us posted.
Comment 6 Alexander Bergmann 2013-09-25 08:43:42 UTC
Vincent, please have a look if this kind of mistakes are present in Cloud 2.0.
Comment 7 Vincent Untz 2013-09-25 09:03:45 UTC
This is not present in Cloud 2.0, but that's because we didn't switch to the cookbooks we were considering. That being said, I think it's safe to close the bug.