Hi Thomas, hi László, On Thu, Jun 04, 2015 at 09:25:56AM +0200, Thomas Goirand wrote: > On 06/03/2015 11:19 PM, László Böszörményi (GCS) wrote: > > Control: fixed -1 2015.1~rc2-1 > > > > Hi Salvatore, > > > > On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <[email protected]> > > wrote: > >> Note that this as least seem partially addressed, namely in the > >> cassandra part. I have not checked all remeaining occurences. > > Yes, the Cassandra part is fixed last year[1]. The fixing path also > > available[2]. Other parts are not fixed, keep reading. > > One of the developers, Nikhil Manchanda states[3]: > > "The impact of this is pretty minimal. From a deployment perspective, > > datastores are deployed so that file access is not allowed. Coupling > > that with the fact that SSH access to the Trove instance is also > > restricted, this vulnerability seems very hard to exploit. However, > > regardless of these mitigations, we're planning on having a fix for > > this in Trove during kilo." > > Later Jeremy Stanley, a member of the OpenStack Vulnerability > > Management Team states[4]: > > "Due to the need for access to the instance filesystem and the limited > > exposure (basically anyone with shell access to a Trove instance is > > going to be the administrator of the infrastructure on which it's > > running) along with the fact that it's only slated to be fixed in the > > master branch for inclusion in the upcoming Kilo release, the VMT will > > not be publishing a security advisory nor requesting a CVE for this > > bug." > > > > Then it was reviewed and merged to master back on 21st of January[5]. > > Thus the fix is part of 2015.1.0rc2 which was tagged on 23rd of > > April[6] and was uploaded to Sid on 29th of April[7]. Marking the bug > > accordingly. > > > > Regards, > > Laszlo/GCS > > FWIW, I agree with Jeremy Stanley view. I don't see how one would > exploit the issue, if there's one at all. > > I see that the issue is marked as very low in the tracker, I agree with > that. I'm even tempted to tag the Debian bug with +wontfix (note: the > attached patch in launchpad only fixes the issue for Cassandra, and > doesn't even apply on top of Icehouse (ie: 2014.1.3) in Jessie).
Yes, I agree that the severity is rather low (we marked the issue as well as no-dsa, btw). I think we can just reevaluate later kilo releases if upstream has fixed all the occurences for CVE-2015-3156 and don't need an extraordinary/immediate action on this bug but just follow when upstream fixes them. Would you concur with this? Regards, Salvatore -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

