Date: Thu, 09 Apr 2015 17:38:34 +0200 From: Andreas Stieger <astieger@...e.de> To: oss-security@...ts.openwall.com CC: cve-assign@...re.org Subject: CVE Request for ceph-deploy world-readable keyring permissions Hello, ceph-deploy 1.5.23 fixes an issue with world-readable permissions on a keyring containing private key material. The 1.5.23 changelog states: "Fix an issue where keyring permissions were world readable" The problem was that the keyring file would be created with 644 mode. If ceph-deploy was run as a dedicated non-root admin user, the keys would be readable to all other (non-admin) users of the same group, thus leaking authentication credentials. The upstream pull request and commits are: https://github.com/ceph/ceph-deploy/pull/272 https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f References: https://github.com/ceph/ceph-deploy/pull/272 https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f https://bugzilla.suse.com/show_bug.cgi?id=920926 Could I get a CVE ID assigned please? Thanks Andreas Stieger -- Andreas Stieger <astieger@...e.de> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ