Launchpad.net

CVE 2013-2030

keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.

Related bugs and status

CVE-2013-2030 (Candidate) is related to these bugs:

Bug #1174608: [OSSA 2013-010] Insecure directory creation for signing

		In	Importance	Status
1174608	[OSSA 2013-010] Insecure directory creation for signing	OpenStack Compute (nova)	High	Fix Released
1174608	[OSSA 2013-010] Insecure directory creation for signing	python-keystoneclient	Medium	Fix Released
1174608	[OSSA 2013-010] Insecure directory creation for signing	OpenStack Compute (nova) grizzly	High	Fix Released
1174608	[OSSA 2013-010] Insecure directory creation for signing	OpenStack Identity (keystone)	Undecided	Invalid
1174608	[OSSA 2013-010] Insecure directory creation for signing	OpenStack Identity (keystone) folsom	Medium	Fix Released
1174608	[OSSA 2013-010] Insecure directory creation for signing	OpenStack Security Advisory	Undecided	Fix Released

Bug #1179584: Update grizzly code base to the 2013.1.1 release

Summary				In	Importance	Status
	1179584	Update grizzly code base to the 2013.1.1 release		Cisco Openstack	High	Fix Released
	1179584	Update grizzly code base to the 2013.1.1 release		Cisco Openstack grizzly	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2013-2030

Related bugs and status

Related bugs

References