Date: Thu, 09 Apr 2015 17:38:34 +0200 From: Andreas Stieger <astieger@...e.de> To: oss-security@...ts.openwall.com CC: cve-assign@...re.org Subject: CVE Request for ceph-deploy world-readable keyring permissions Hello, ceph-deploy 1.5.23 fixes an issue with world-readable permissions on a keyring containing private key material. The 1.5.23 changelog states: "Fix an issue where keyring permissions were world readable" The problem was that the keyring file would be created with 644 mode. If ceph-deploy was run as a dedicated non-root admin user, the keys would be readable to all other (non-admin) users of the same group, thus leaking authentication credentials. The upstream pull request and commits are: https://github.com/ceph/ceph-deploy/pull/272 https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f References: https://github.com/ceph/ceph-deploy/pull/272 https://github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3f https://bugzilla.suse.com/show_bug.cgi?id=920926 Could I get a CVE ID assigned please? Thanks Andreas Stieger -- Andreas Stieger <astieger@...e.de> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.