On 06/03/2015 11:19 PM, László Böszörményi (GCS) wrote: > Control: fixed -1 2015.1~rc2-1 > > Hi Salvatore, > > On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <[email protected]> > wrote: >> Note that this as least seem partially addressed, namely in the >> cassandra part. I have not checked all remeaining occurences. > Yes, the Cassandra part is fixed last year[1]. The fixing path also > available[2]. Other parts are not fixed, keep reading. > One of the developers, Nikhil Manchanda states[3]: > "The impact of this is pretty minimal. From a deployment perspective, > datastores are deployed so that file access is not allowed. Coupling > that with the fact that SSH access to the Trove instance is also > restricted, this vulnerability seems very hard to exploit. However, > regardless of these mitigations, we're planning on having a fix for > this in Trove during kilo." > Later Jeremy Stanley, a member of the OpenStack Vulnerability > Management Team states[4]: > "Due to the need for access to the instance filesystem and the limited > exposure (basically anyone with shell access to a Trove instance is > going to be the administrator of the infrastructure on which it's > running) along with the fact that it's only slated to be fixed in the > master branch for inclusion in the upcoming Kilo release, the VMT will > not be publishing a security advisory nor requesting a CVE for this > bug." > > Then it was reviewed and merged to master back on 21st of January[5]. > Thus the fix is part of 2015.1.0rc2 which was tagged on 23rd of > April[6] and was uploaded to Sid on 29th of April[7]. Marking the bug > accordingly. > > Regards, > Laszlo/GCS
FWIW, I agree with Jeremy Stanley view. I don't see how one would exploit the issue, if there's one at all. I see that the issue is marked as very low in the tracker, I agree with that. I'm even tempted to tag the Debian bug with +wontfix (note: the attached patch in launchpad only fixes the issue for Cassandra, and doesn't even apply on top of Icehouse (ie: 2014.1.3) in Jessie). Your thoughts? Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

