On 05/27/2018 08:29 AM, Salvatore Bonaccorso wrote: > Source: tripleo-heat-templates > Version: 5.2.0-1 > Severity: grave > Tags: patch security upstream > Forwarded: https://bugs.launchpad.net/tripleo/+bug/1720787 > > Hi, > > The following vulnerability was published for tripleo-heat-templates. > > CVE-2017-12155[0]: > | A resource-permission flaw was found in the > | openstack-tripleo-heat-templates package where > | ceph.client.openstack.keyring is created as world-readable. A local > | attacker with access to the key could read or modify data on Ceph > | cluster pools for OpenStack as though the attacker were the OpenStack > | service, thus potentially reading or modifying data in an OpenStack > | Block Storage volume. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-12155 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12155 > [1] https://bugs.launchpad.net/tripleo/+bug/1720787 > > Regards, > Salvatore
Hi Salvatore, I don't think anyone can even use tripleo-heat-templates in Debian, as we don't have a working TripleO anyway. I just asked for its removal form Sid. Therefore, I don't really feel like spending the time on fixing this will be remotely useful. In this kind of situation, shall we simply close the bug? Cheers. Thomas Goirand (zigo)
