[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#693290: marked as done (unblock: horizon/2012.1.1-7 (CVE-2012-5474 fix))

Your message dated Wed, 21 Nov 2012 22:26:25 +0000
with message-id <1353536785.30790.7.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#693290: unblock: horizon/2012.1.1-7 (CVE-2012-5474 fix)
has caused the Debian Bug report #693290,
regarding unblock: horizon/2012.1.1-7 (CVE-2012-5474 fix)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
693290: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693290
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Horizon had its /etc/openstack-dashboard/local_settings.py
world readable. This file contains passwords, so that isn't
good. My latest upload to SID fixes this.

Please unblock package horizon 2012.1.1-7.

Note that Debian isn't affected by CVE-2012-5476, or by
CVE-2012-5483. I've checked, and the corresponding
configuration files are *not* world readable in Debian.
The security tracker has been updated for this.

Our Folsom packaging, currently in our Git on Alioth only,
isn't affected by any of the above (we rewrote all the
management on a unified library which uses BSD install,
with -m 0640, so we don't have such problems).

Cheers,

Thomas

diff -Nru horizon-2012.1.1/debian/changelog horizon-2012.1.1/debian/changelog
--- horizon-2012.1.1/debian/changelog	2012-09-21 13:20:55.000000000 +0000
+++ horizon-2012.1.1/debian/changelog	2012-11-15 08:50:33.000000000 +0000
@@ -1,3 +1,10 @@
+horizon (2012.1.1-7) unstable; urgency=high
+
+  * CVE-2012-5474: The file /etc/openstack-dashboard/local_settings is not
+  world readable anymore (Closes: #693287).
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 15 Nov 2012 08:47:18 +0000
+
 horizon (2012.1.1-6) unstable; urgency=low
 
   * Keyerror when displaying Instances & Volumes:
diff -Nru horizon-2012.1.1/debian/openstack-dashboard.postinst horizon-2012.1.1/debian/openstack-dashboard.postinst
--- horizon-2012.1.1/debian/openstack-dashboard.postinst	2012-09-21 13:20:55.000000000 +0000
+++ horizon-2012.1.1/debian/openstack-dashboard.postinst	2012-11-15 08:50:33.000000000 +0000
@@ -4,10 +4,15 @@
 if [ "$1" = "configure" ]
 then
     adduser --system \
-	--home /var/lib/horizon \
+        --home /var/lib/horizon \
         --quiet \
         --disabled-password \
         --group horizon
+
+	if[ -r /etc/openstack-dashboard/local_settings.py ] ; then
+		chmod 0640 /etc/openstack-dashboard/local_settings.py
+		chown horizon:horizon /etc/openstack-dashboard/local_settings.py
+	fi
 fi
 
-#DEBHELPER#
\ No newline at end of file
+#DEBHELPER#

--- End Message ---
--- Begin Message --- 
On Thu, 2012-11-15 at 16:04 +0800, Thomas Goirand wrote:
> Horizon had its /etc/openstack-dashboard/local_settings.py
> world readable. This file contains passwords, so that isn't
> good. My latest upload to SID fixes this.

-9 unblocked.

As I mentioned on IRC, uploading just to change the urgency is rather
redundant given that you can just ask us to change it. It was also
pointless in this case given that -8 would have inherited -7's
urgency=high anyway...

Regards,

Adam

--- End Message ---
Reply to: