Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1319562711.16989.5.camel@localhost>
Date: Tue, 25 Oct 2011 12:11:51 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: thierry@...nstack.org, security <security@...ntu.com>
Subject: CVE request: nova

A flaw was discovered in OpenStack nova[1] which allows someone with
access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the
EC2_SECRET_KEY (equivalent to a password). While the EC2_ACCESS_KEY is
typically not public, if the user exposes it via http or tools that
allow MITM over https, then an attacker could obtain the EC2_SECRET_KEY
easily. An attacker could also presumably brute force values for
EC2_ACCESS_KEY.

Fix:
https://review.openstack.org/#change,794

[1]https://launchpad.net/bugs/868360

-- 
Jamie Strandboge             | http://www.canonical.com


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.