Your message dated Fri, 05 Jun 2015 01:27:20 +0200
with message-id <[email protected]>
and subject line Re: [PKG-Openstack-devel] Bug#787654: Bug#787654: Bug#787654:
Bug#787654: openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage
issues
has caused the Debian Bug report #787654,
regarding openstack-trove: CVE-2015-3156: multiple insecure /tmp file usage
issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
787654: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787654
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openstack-trove
Version: 2015.1.0-1
Severity: normal
Tags: security upstream
Hi,
the following vulnerability was published for openstack-trove.
CVE-2015-3156[0]:
multiple insecure /tmp file usage issues
More information can be found in the Red Hat bugzilla[1], but at the
time of writing this bugreport here are no upstream patches (since
upstream seem to disagree with downstreams).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3156
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1216073
[2] https://bugzilla.novell.com/show_bug.cgi?id=929535
[3] http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3156.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
On 06/04/2015 09:18 PM, László Böszörményi (GCS) wrote:
> On Thu, Jun 4, 2015 at 8:09 PM, Salvatore Bonaccorso <[email protected]>
> wrote:
>> On Thu, Jun 04, 2015 at 09:25:56AM +0200, Thomas Goirand wrote:
>>> On 06/03/2015 11:19 PM, László Böszörményi (GCS) wrote:
>>>> Control: fixed -1 2015.1~rc2-1
> The version set for being vulnerable is wrong by the way, but I don't
> know which was the first version that contains these bugs.
>
>>>> On Wed, Jun 3, 2015 at 10:25 PM, Salvatore Bonaccorso <[email protected]>
>>>> wrote:
>>>>> Note that this as least seem partially addressed, namely in the
>>>>> cassandra part. I have not checked all remeaining occurences.
> [...]
>> Yes, I agree that the severity is rather low (we marked the issue as
>> well as no-dsa, btw). I think we can just reevaluate later kilo
>> releases if upstream has fixed all the occurences for CVE-2015-3156
>> and don't need an extraordinary/immediate action on this bug but just
>> follow when upstream fixes them.
>>
>> Would you concur with this?
> If you ask me, I have doubts upstream will take further steps with
> this CVE. Their vulnerability team said they don't ask for a CVE
> number as the impact is very low if even possible to utilize it. As
> the 'bugs' are found last December and only the Cassandra part is
> fixed for six months and that's already part of Stretch I say this bug
> can be closed as fixed after setting the correct 'found' version.
>
> Cheers,
> Laszlo/GCS
I fully agree.
Thomas
--- End Message ---
