openstack-packstack: insecure file handling
| Package(s): | openstack-packstack | CVE #(s): | CVE-2013-1815 | ||||
| Created: | March 22, 2013 | Updated: | March 27, 2013 | ||||
| Description: | From the Red Hat advisory: PackStack is a command line utility that uses Puppet modules to support rapid deployment of OpenStack on existing servers over an SSH connection. PackStack is suitable for deploying both single node proof of concept installations and more complex multi-node installations. It was found that PackStack did not handle the answer file securely. In some environments, such as those using a non-default umask, a local attacker could possibly modify the answer file if PackStack was run in an attacker controlled directory, or attempted to create the answer file in "/tmp/", allowing the attacker to modify systems being deployed using OpenStack. Note: After applying this update, PackStack will create the answer file in the user's home directory by default. It will no longer create it in the current working directory or the "/tmp/" directory by default. (CVE-2013-1815) The CVE-2013-1815 issue was discovered by Derek Higgins of the Red Hat OpenStack team. | ||||||
| Alerts: |
| ||||||