Bugzilla – Bug 807855
VUL-1: CVE-2013-0266: openstack-cinder: information leak / credentials exposure via cinder.conf
Last modified: 2013-09-25 09:03:45 UTC
From [1]: "Prior to this commit, the puppetlabs-cinder module applied the mode 0644 to the File[$::cinder::params::cinder_conf] resource which were too permissive. This commit explicitly sets the mode to 0600." [1] https://github.com/puppetlabs/puppetlabs-cinder/commit/7da79
I think this does not seem to be affecting openstack, but more puppet / puppetlabs-cinder. Do we use that / something similar at SUSE Cloud? CC'ing vdziewiecki.
1) We don't have cinder in SUSE Cloud 1.0; the only place where we ship it is openSUSE 12.3. 2) This is indeed a permission issue from the puppet scripts. Our packages have the right permissions. 3) However, I see that the chef cookbook we'll likely use in 2.0 has this issue: https://github.com/att-cloud/cookbook-cinder/blob/master/recipes/api.rb#L81 In general, we should review the cookbooks again for this kind of mistakes. I've created a trello card for this: https://trello.com/c/mEWdMcSr Not sure if we want to keep the bug
Let's keep it open until 3 is verified to be OK. Please keep us posted.
Vincent, please have a look if this kind of mistakes are present in Cloud 2.0.
This is not present in Cloud 2.0, but that's because we didn't switch to the cookbooks we were considering. That being said, I think it's safe to close the bug.