oss-sec mailing list archives
Re: CVE-2013-1977 - OpenStack keystone.conf insecure file permissions
From: Thierry Carrez <thierry () openstack org>
Date: Tue, 23 Apr 2013 17:05:24 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kurt Seifried wrote:
As reported: https://bugs.launchpad.net/keystone/+bug/1168252 The password configuration of LDAP and admin_token in keystone.conf should be secret to protect security information: [...]
See my comment on the bug... now at https://bugs.launchpad.net/devstack/+bug/1168252 This is actually not a Keystone issue, it's a packaging/deployment issue that affects a number of distributions of OpenStack, including the devstack installer. Looks like we could issue a "security note" about it, mentioning that CVE, to raise the profile of this. - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRdqM0AAoJEFB6+JAlsQQjqN4QAKrpIaBdwvMV37G7E8XckhAT G8kRr44VAp17JQXVrRCapDd14jllpkmWfvZDgkhEbKQqNXjTk+3l/xtuC1uSCmu3 FjzNpGBD5IhIPmJiUvjGsSTSOVtxH+uncPCt0PiKL7BZ80nYer37hI0FNaRwoZ3k 07jcyDY23aJEEQymbb2QofMK2o6v3oUuM6rnpqqQNDHLvpOesQToNN1SAqHECvZL 960r7NlNUqXnpO+qNPdzOixf2672DL3KwrfUDmgxzzRr1Z3RJHk7YFVYd4bO2iVC wENNR6OjJwyGgoIO/Xy/dk/t1PBR7Rg6l2oDgd4rE/ZiE1gEJSgoBsRrCS4Pcsnm L0wdesB4r/mzMqSdgNzDKqMR21p5MCwBAZU9lYOH6cGBr/CRM8ecRnSS7gwindm0 j8t9rrnLH7/EoWCJRoWxFDuiCH/9naUd2J1UIDK/Ny9r0Sdq8kfR2KC7wNPi92rY /68tDD/K8zarogU8TfR5WPlodcWWm2XPgytdeADVDDq71/tof+2BYOS90VTn7c9X 7lHSrfJ3VZZQ+WdFTICa0VKl6WpeYDA43Ja9+XeVsow4Wyo22mQmlGubgt9CXQyu VTZmbCAbSI0+D59b2B8rjIxsUENVNSqSKViNXS3UeklawuJo3hU29pKFprkRLFE5 aOaRb0o0TVda4sSdybR8 =AamC -----END PGP SIGNATURE-----
Current thread:
- CVE-2013-1977 - OpenStack keystone.conf insecure file permissions Kurt Seifried (Apr 18)
- Re: CVE-2013-1977 - OpenStack keystone.conf insecure file permissions Thierry Carrez (Apr 23)