Comment 61 for bug 1496277
Revision history for this message
| Zane Bitter (zaneb) wrote Re: template-validate may read server local files (CVE-2015-5295) | #61 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Users should *always* launch templates only from trusted sources. There is no time when launching a template from an untrusted source would be a good idea, any more than running a shell script from an untrusted source would be.
There isn't a bug in the client, so there's nothing to update. There isn't anything we could do even in principle, because the user is allowed to reference any file they like (unlike on the server where they're all supposed to be installed in /etc/heat/). I don't think we should imply otherwise.