CVE-2014-5247

Priority
Description
The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py
in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable
permissions for the configuration backup file, which allows local users to
obtain SSL keys, remote API credentials, and other sensitive information by
reading the file, related to the upgrade command.
Package
Upstream:released (2.11.5-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Trusty/esm:DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2.15.2-3)
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 18.10 (Cosmic Cuttlefish):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):needed
Patches:
Upstream:http://git.ganeti.org/?p=ganeti.git;a=commit;h=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0
More Information

Updated: 2019-04-26 14:14:56 UTC (commit 30899e40836d26e1bb5f0b072d31fd87b6cf3bd4)