--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Horizon had its /etc/openstack-dashboard/local_settings.py
world readable. This file contains passwords, so that isn't
good. My latest upload to SID fixes this.
Please unblock package horizon 2012.1.1-7.
Note that Debian isn't affected by CVE-2012-5476, or by
CVE-2012-5483. I've checked, and the corresponding
configuration files are *not* world readable in Debian.
The security tracker has been updated for this.
Our Folsom packaging, currently in our Git on Alioth only,
isn't affected by any of the above (we rewrote all the
management on a unified library which uses BSD install,
with -m 0640, so we don't have such problems).
Cheers,
Thomas
diff -Nru horizon-2012.1.1/debian/changelog horizon-2012.1.1/debian/changelog
--- horizon-2012.1.1/debian/changelog 2012-09-21 13:20:55.000000000 +0000
+++ horizon-2012.1.1/debian/changelog 2012-11-15 08:50:33.000000000 +0000
@@ -1,3 +1,10 @@
+horizon (2012.1.1-7) unstable; urgency=high
+
+ * CVE-2012-5474: The file /etc/openstack-dashboard/local_settings is not
+ world readable anymore (Closes: #693287).
+
+ -- Thomas Goirand <zigo@debian.org> Thu, 15 Nov 2012 08:47:18 +0000
+
horizon (2012.1.1-6) unstable; urgency=low
* Keyerror when displaying Instances & Volumes:
diff -Nru horizon-2012.1.1/debian/openstack-dashboard.postinst horizon-2012.1.1/debian/openstack-dashboard.postinst
--- horizon-2012.1.1/debian/openstack-dashboard.postinst 2012-09-21 13:20:55.000000000 +0000
+++ horizon-2012.1.1/debian/openstack-dashboard.postinst 2012-11-15 08:50:33.000000000 +0000
@@ -4,10 +4,15 @@
if [ "$1" = "configure" ]
then
adduser --system \
- --home /var/lib/horizon \
+ --home /var/lib/horizon \
--quiet \
--disabled-password \
--group horizon
+
+ if[ -r /etc/openstack-dashboard/local_settings.py ] ; then
+ chmod 0640 /etc/openstack-dashboard/local_settings.py
+ chown horizon:horizon /etc/openstack-dashboard/local_settings.py
+ fi
fi
-#DEBHELPER#
\ No newline at end of file
+#DEBHELPER#
--- End Message ---
--- Begin Message ---
On Thu, 2012-11-15 at 16:04 +0800, Thomas Goirand wrote:
> Horizon had its /etc/openstack-dashboard/local_settings.py
> world readable. This file contains passwords, so that isn't
> good. My latest upload to SID fixes this.
-9 unblocked.
As I mentioned on IRC, uploading just to change the urgency is rather
redundant given that you can just ask us to change it. It was also
pointless in this case given that -8 would have inherited -7's
urgency=high anyway...
Regards,
Adam
--- End Message ---