Comment 3 for bug 1354208
Revision history for this message
| Thierry Carrez (ttx) wrote Re: Catalog replacement allows reading config | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
It's a difficult fix, since it's one of those cases where a feature has corner case security consequences. You can't really remove the "feature" in stable release, since that would be changing behavior that people might rely on. So my suggestion would be to drop the "feature" in future versions, and document the corner case security issue ("don't let anyone create endpoints!") in a OSSN...
Adding keystone-coresec and ossg-coresec for more input on this.