txlongpoll.yaml contains password but is world readable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| maas (Ubuntu) |
Undecided
|
Andres Rodriguez |
Bug Description
/etc/maas/
| nobody@polong:/$ cat /etc/maas/
[...]
| ## Message broker configuration.
| #
| broker:
| host: "localhost"
| port: 5672
| username: "maas_longpoll"
| password: "XXXXXXXXXXXXXX
^^^^
| vhost: "/maas_longpoll"
|
| ## Where to log. This log can be rotated by sending SIGUSR1 to the
| ## running server.
| #
| # logfile: "txlongpoll.log"
| logfile: "/var/log/
| nobody@polong:/$
James Troup (elmo) wrote : | #1 |
Marc Deslauriers (mdeslaur) wrote : | #2 |
This is CVE-2013-1069
Marc Deslauriers (mdeslaur) wrote : | #3 |
Andres,
Could you take a look at this, please?
Changed in maas (Ubuntu): | |
assignee: | nobody → Andres Rodriguez (andreserl) |
Jamie Strandboge (jdstrand) wrote : | #4 |
Any progress on this?
Andres Rodriguez (andreserl) wrote : | #6 |
Attached the patch above.
Andres Rodriguez (andreserl) wrote : | #7 |
Attached wrong patch, here is the correct one.
Seth Arnold (seth-arnold) wrote : | #8 |
Thanks for the patch, but it did not fix the permissions of an existing file upon upgrade.
I've attached a patch that fixes permissions of the file upon upgrade; please add this, or something very similar, to the postinst for the trusty packaging. I have added this stanza to the packaging for precise, quantal, and saucy releases. I believe we can remove it for the 14.10 release, probably MAAS users will jump from one LTS to the next.
Thanks
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package maas - 1.4+bzr1693+
---------------
maas (1.4+bzr1693+
* SECURITY UPDATE: incorrect Content-type header allowed cross-site
scripting vulnerability if an unknown API was used. (LP: #1251336)
- debian/
browsers to not render error messages as HTML.
- CVE-2013-1070
* SECURITY UPDATE: /etc/maas/
password. (LP: #1254034)
- debian/
/
- CVE-2013-1069
-- Seth Arnold <email address hidden> Tue, 11 Feb 2014 12:16:40 -0800
Changed in maas (Ubuntu): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package maas - 1.2+bzr1373+
---------------
maas (1.2+bzr1373+
* SECURITY UPDATE: incorrect Content-type header allowed cross-site
scripting vulnerability if an unknown API was used. (LP: #1251336)
- debian/
browsers to not render error messages as HTML.
- CVE-2013-1070
* SECURITY UPDATE: /etc/maas/
password. (LP: #1254034)
- debian/
/
- CVE-2013-1069
-- Seth Arnold <email address hidden> Mon, 10 Feb 2014 22:49:35 -0800
Changed in maas (Ubuntu): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package maas - 1.2+bzr1373+
---------------
maas (1.2+bzr1373+
* SECURITY UPDATE: incorrect Content-type header allowed cross-site
scripting vulnerability if an unknown API was used. (LP: #1251336)
- debian/
browsers to not render error messages as HTML.
- CVE-2013-1070
* SECURITY UPDATE: /etc/maas/
password. (LP: #1254034)
- debian/
/
- CVE-2013-1069
-- Seth Arnold <email address hidden> Tue, 11 Feb 2014 12:07:50 -0800
Changed in maas (Ubuntu): | |
status: | New → Fix Released |
information type: | Private Security → Public Security |
james@polong:~$ dpkg -c /var/cache/ apt/archives/ maas-region- controller_ 1.2+bzr1373+ dfsg-0ubuntu1~ 12.04.4_ all.deb | grep txlongpoll.yaml txlongpoll. yaml
-rw-r--r-- root/root 856 2013-11-02 06:23 ./etc/maas/