Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Apr 2015 17:38:34 +0200
From: Andreas Stieger <>
Subject: CVE Request for ceph-deploy world-readable keyring permissions


ceph-deploy 1.5.23 fixes an issue with world-readable permissions on a
keyring containing private key material.

The 1.5.23 changelog states:
"Fix an issue where keyring permissions were world readable"

The problem was that the keyring file would be created with 644 mode. If
ceph-deploy was run as a dedicated non-root admin user, the keys would
be readable to all other (non-admin) users of the same group, thus
leaking authentication credentials.

The upstream pull request and commits are:


Could I get a CVE ID assigned please?

Andreas Stieger

Andreas Stieger <>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG N├╝rnberg) 

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.