It looks like all the nova cases are actually handled here ** No longer affects: nova
-- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1192971 Title: Command execution cases need to be strengthened Status in Cinder: In Progress Status in OpenStack Security Advisories: Won't Fix Bug description: Grant Murphy from Red Hat Product Security Team reports the following potential vulnerability: For the most part OpenStack seems to do command execution safely using subprocess.Popen. There are two instances where things become a little dubious. The first is when shell=True is used with subprocess. This doesn't prevent arguments being supplied that allow for multiple commands to be executed. e.g. '; cat /etc/passwd'. The second case is where commands are made to an external ssh host. See attached file for a lit of potential injections: we should double- check them (even if I expect most of them to turn false positive) To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1192971/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
