Bug#954269: buster-pu: package manila/1:7.0.0-1 CVE-2020-9543

To: Thomas Goirand <zigo@debian.org>, 954269@bugs.debian.org
Subject: Bug#954269: buster-pu: package manila/1:7.0.0-1 CVE-2020-9543
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 28 Mar 2020 12:46:20 +0000
Message-id: <[🔎] 733ae353d69f9a637f098cb40a44ab42eef97745.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 954269@bugs.debian.org
In-reply-to: <[🔎] 158462658320.25220.12203315350686869827.reportbug@zbuz.infomaniak.ch>
References: <[🔎] 158462658320.25220.12203315350686869827.reportbug@zbuz.infomaniak.ch> <[🔎] 158462658320.25220.12203315350686869827.reportbug@zbuz.infomaniak.ch>

Control: tags -1 + confirmed

On Thu, 2020-03-19 at 15:03 +0100, Thomas Goirand wrote:
> The security team told me that this update is a no-DSA. Can I upload
> this Manila update to proposed-updates then?
> 
> If you didn't know, Manila is OpenStack's file system share as a
> service (like for example, NFS share as a service, running on top of
> a Cinder or a Ceph block storage, or CephFS, or a proprietary NAS,
> etc.).
> 
> FYI, the security bug is that anyone knowing an UUID of a Manila
> share, can basically do whatever it wants with it. It's no DSA
> because guessing such an UUID isn't practical, and an operator would
> likely notice if one is attempting to brute-force. I still think it
> deserves patching Buster.
> 

Please go ahead.

Regards,

Adam

Reply to:

References:
- Bug#954269: buster-pu: package manila/1:7.0.0-1 CVE-2020-9543
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Processed: Re: Bug#954269: buster-pu: package manila/1:7.0.0-1 CVE-2020-9543
Next by Date: Bug#944228: (no subject)
Previous by thread: Processed: Re: Bug#954269: buster-pu: package manila/1:7.0.0-1 CVE-2020-9543
Next by thread: Bug#954269: manila 7.0.0-1+deb10u1 flagged for acceptance
Index(es):
- Date
- Thread