txlongpoll.yaml contains password but is world readable
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | maas (Ubuntu) |
Undecided
|
Andres Rodriguez | ||
Bug Description
/etc/maas/
| nobody@polong:/$ cat /etc/maas/
[...]
| ## Message broker configuration.
| #
| broker:
| host: "localhost"
| port: 5672
| username: "maas_longpoll"
| password: "XXXXXXXXXXXXXX
^^^^
| vhost: "/maas_longpoll"
|
| ## Where to log. This log can be rotated by sending SIGUSR1 to the
| ## running server.
| #
| # logfile: "txlongpoll.log"
| logfile: "/var/log/
| nobody@polong:/$
| James Troup (elmo) wrote : | #1 |
| Marc Deslauriers (mdeslaur) wrote : | #2 |
This is CVE-2013-1069
| Marc Deslauriers (mdeslaur) wrote : | #3 |
Andres,
Could you take a look at this, please?
| Changed in maas (Ubuntu): | |
| assignee: | nobody → Andres Rodriguez (andreserl) |
| Jamie Strandboge (jdstrand) wrote : | #4 |
Any progress on this?
| Andres Rodriguez (andreserl) wrote : | #6 |
Attached the patch above.
| Andres Rodriguez (andreserl) wrote : | #7 |
Attached wrong patch, here is the correct one.
| Seth Arnold (seth-arnold) wrote : | #8 |
Thanks for the patch, but it did not fix the permissions of an existing file upon upgrade.
I've attached a patch that fixes permissions of the file upon upgrade; please add this, or something very similar, to the postinst for the trusty packaging. I have added this stanza to the packaging for precise, quantal, and saucy releases. I believe we can remove it for the 14.10 release, probably MAAS users will jump from one LTS to the next.
Thanks
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package maas - 1.4+bzr1693+
---------------
maas (1.4+bzr1693+
* SECURITY UPDATE: incorrect Content-type header allowed cross-site
scripting vulnerability if an unknown API was used. (LP: #1251336)
- debian/
browsers to not render error messages as HTML.
- CVE-2013-1070
* SECURITY UPDATE: /etc/maas/
password. (LP: #1254034)
- debian/
/
- CVE-2013-1069
-- Seth Arnold <email address hidden> Tue, 11 Feb 2014 12:16:40 -0800
| Changed in maas (Ubuntu): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package maas - 1.2+bzr1373+
---------------
maas (1.2+bzr1373+
* SECURITY UPDATE: incorrect Content-type header allowed cross-site
scripting vulnerability if an unknown API was used. (LP: #1251336)
- debian/
browsers to not render error messages as HTML.
- CVE-2013-1070
* SECURITY UPDATE: /etc/maas/
password. (LP: #1254034)
- debian/
/
- CVE-2013-1069
-- Seth Arnold <email address hidden> Mon, 10 Feb 2014 22:49:35 -0800
| Changed in maas (Ubuntu): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package maas - 1.2+bzr1373+
---------------
maas (1.2+bzr1373+
* SECURITY UPDATE: incorrect Content-type header allowed cross-site
scripting vulnerability if an unknown API was used. (LP: #1251336)
- debian/
browsers to not render error messages as HTML.
- CVE-2013-1070
* SECURITY UPDATE: /etc/maas/
password. (LP: #1254034)
- debian/
/
- CVE-2013-1069
-- Seth Arnold <email address hidden> Tue, 11 Feb 2014 12:07:50 -0800
| Changed in maas (Ubuntu): | |
| status: | New → Fix Released |
| information type: | Private Security → Public Security |
james@polong:~$ dpkg -c /var/cache/
-rw-r--r-- root/root 856 2013-11-02 06:23 ./etc/maas/