CVE-2013-2030
Publication date 9 May 2013
Last updated 24 July 2024
Ubuntu priority
keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.
Status
Package | Ubuntu Release | Status |
---|---|---|
nova | ||
Notes
jdstrand
Ubuntu 12.04 LTS and lower not affected /tmp/keystone-signing-nova is created but it is owned by the nova user and symlink restrictions are in effect. upstream fix is to change /etc/nova/api-paste.ini. Since this issue is mitigated by symlink restrictions, ignoring since a config file change is too intrusive
Patch details
Package | Patch details |
---|---|
nova |
|