> On Oct 2, 2013, at 5:03 AM, Thierry Carrez <email address hidden> wrote:
>
> RC2 window opened, feel free to backport to milestone-proposed
>
> ** Changed in: trove
> Milestone: None => havana-rc2
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1233305
>
> Title:
> Symlink attack with signing_dir = /tmp/keystone-signing-nova
>
> Status in Trove - Database as a Service:
> Fix Committed
>
> Bug description:
> Hi,
>
> Having such thing in the default configuration file:
>
> signing_dir = /tmp/keystone-signing-nova
>
> was the origin of a CVE in Nova. I would strongly suggest to not use
> known filenames in /tmp, which are vectors of symlink attacks (and no,
> the kernel in Wheezy and Precise doesn't have the feature to stop it,
> that's only in 3.8, IIRC).
>
> The best way to fix it is to use something in the home folder of the
> package, for example in /var/lib/trove.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/trove/+bug/1233305/+subscriptions
Thx dude.
Sent from my digital shackles
> On Oct 2, 2013, at 5:03 AM, Thierry Carrez <email address hidden> wrote: /bugs.launchpad .net/bugs/ 1233305 signing- nova signing- nova /bugs.launchpad .net/trove/ +bug/1233305/ +subscriptions
>
> RC2 window opened, feel free to backport to milestone-proposed
>
> ** Changed in: trove
> Milestone: None => havana-rc2
>
> --
> You received this bug notification because you are a bug assignee.
> https:/
>
> Title:
> Symlink attack with signing_dir = /tmp/keystone-
>
> Status in Trove - Database as a Service:
> Fix Committed
>
> Bug description:
> Hi,
>
> Having such thing in the default configuration file:
>
> signing_dir = /tmp/keystone-
>
> was the origin of a CVE in Nova. I would strongly suggest to not use
> known filenames in /tmp, which are vectors of symlink attacks (and no,
> the kernel in Wheezy and Precise doesn't have the feature to stop it,
> that's only in 3.8, IIRC).
>
> The best way to fix it is to use something in the home folder of the
> package, for example in /var/lib/trove.
>
> To manage notifications about this bug go to:
> https:/