Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Apr 2015 17:38:34 +0200
From: Andreas Stieger <>
Subject: CVE Request for ceph-deploy world-readable keyring permissions


ceph-deploy 1.5.23 fixes an issue with world-readable permissions on a
keyring containing private key material.

The 1.5.23 changelog states:
"Fix an issue where keyring permissions were world readable"

The problem was that the keyring file would be created with 644 mode. If
ceph-deploy was run as a dedicated non-root admin user, the keys would
be readable to all other (non-admin) users of the same group, thus
leaking authentication credentials.

The upstream pull request and commits are:


Could I get a CVE ID assigned please?

Andreas Stieger

Andreas Stieger <>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG N├╝rnberg) 

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ