Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Horizon had its /etc/openstack-dashboard/local_settings.py world readable. This file contains passwords, so that isn't good. My latest upload to SID fixes this. Please unblock package horizon 2012.1.1-7. Note that Debian isn't affected by CVE-2012-5476, or by CVE-2012-5483. I've checked, and the corresponding configuration files are *not* world readable in Debian. The security tracker has been updated for this. Our Folsom packaging, currently in our Git on Alioth only, isn't affected by any of the above (we rewrote all the management on a unified library which uses BSD install, with -m 0640, so we don't have such problems). Cheers, Thomas
diff -Nru horizon-2012.1.1/debian/changelog horizon-2012.1.1/debian/changelog --- horizon-2012.1.1/debian/changelog 2012-09-21 13:20:55.000000000 +0000 +++ horizon-2012.1.1/debian/changelog 2012-11-15 08:50:33.000000000 +0000 @@ -1,3 +1,10 @@ +horizon (2012.1.1-7) unstable; urgency=high + + * CVE-2012-5474: The file /etc/openstack-dashboard/local_settings is not + world readable anymore (Closes: #693287). + + -- Thomas Goirand <z...@debian.org> Thu, 15 Nov 2012 08:47:18 +0000 + horizon (2012.1.1-6) unstable; urgency=low * Keyerror when displaying Instances & Volumes: diff -Nru horizon-2012.1.1/debian/openstack-dashboard.postinst horizon-2012.1.1/debian/openstack-dashboard.postinst --- horizon-2012.1.1/debian/openstack-dashboard.postinst 2012-09-21 13:20:55.000000000 +0000 +++ horizon-2012.1.1/debian/openstack-dashboard.postinst 2012-11-15 08:50:33.000000000 +0000 @@ -4,10 +4,15 @@ if [ "$1" = "configure" ] then adduser --system \ - --home /var/lib/horizon \ + --home /var/lib/horizon \ --quiet \ --disabled-password \ --group horizon + + if[ -r /etc/openstack-dashboard/local_settings.py ] ; then + chmod 0640 /etc/openstack-dashboard/local_settings.py + chown horizon:horizon /etc/openstack-dashboard/local_settings.py + fi fi -#DEBHELPER# \ No newline at end of file +#DEBHELPER#