openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #22558
[Heat] heat-cfntools v1.2.3 released - temp file race condition fix.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The heat development community would like to announce the release of
heat-cfntools version 1.2.3. This release contains security fixes.
heat-cfntools contains the tools that can be installed on Heat
provisioned cloud instances to implement portions of CloudFormation
compatibility.
This release can be installed from the following locations:
http://tarballs.openstack.org/heat-cfntools/heat-cfntools-1.2.3.tar.gz
https://pypi.python.org/pypi/heat-cfntools/1.2.3
During normal development, improper handling of temporary files in
heat-cfntools was found and fixed. Heat-cfntools are a set of tools to
enable Heat templates to initialize and respond to configuration
changes
via the orchestration layer. A local user could exploit predictable
temp
file creation to make root overwrite a file, potentially by also using
local DNS cache poisoning, with a file of their choosing.
It is recommended that any users update these tools immediately. In
particular if you have downloaded older "HEAT-JEOS" images, you should
download new ones which have been built with the fixed heat-cfntools
embedded.
The following issues are fixed in this release:
#1166323 (Clint Byrum) Predictable /tmp filenames used in
SourcesHandler
#1164756 (Clint Byrum) /tmp/last_metadata is vulnerable to tmpfile
races by arbitrary users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJRZh9EAAoJEFOMB2b0vLOOWi8H/2jVn7hUgIP1FMxCXBV2Zyzi
AGv6zBAG3XWufZ9HRX7As1m8XfQu1LLvBdxW0O/Wln+5aZjaAlBnTtwNoYKAp7UO
dqpbm5iESQyk/8jJWrLb0z8Ojs8eoCMI43WeTIF2Qu15Z3G3V4+5jTXq4ujDuyRP
1LT5Vf4fqMiwB65s+SH0HmZFm+HEVModBqBCBN7DFnLJwjmBxssy/iUmYGBTZ4ql
E4h4ezA9hsTJ1CIYWq/fJbCfMnTh1DvRxN5y6G0pinPo48fi6lkp6lMI1Z44Sz/O
BQqb+KEI4K3N0xjIKGuf56n5SEVEdhvmBC+PqfsZBLT4B0PTKwCG0NJkcg06juE=
=Qc9s
-----END PGP SIGNATURE-----