heat-cfntools release 1.2.3
Written for heat-cfntools by Steve Baker on 2013-04-11
The heat development community would like to announce the release of heat-cfntools version 1.2.3. This release contains security fixes.
heat-cfntools contains the tools that can be installed on Heat provisioned cloud instances to implement portions of CloudFormation compatibility.
This release can be installed from the following locations:
http://
https:/
During normal development, improper handling of temporary files in
heat-cfntools was found and fixed. Heat-cfntools are a set of tools to
enable Heat templates to initialize and respond to configuration changes
via the orchestration layer. A local user could exploit predictable temp
file creation to make root overwrite a file, potentially by also using
local DNS cache poisoning, with a file of their choosing.
It is recommended that any users update these tools immediately. In
particular if you have downloaded older "HEAT-JEOS" images, you should
download new ones which have been built with the fixed heat-cfntools
embedded.
The following issues are fixed in this release:
#1166323 (Clint Byrum) Predictable /tmp filenames used in SourcesHandler
#1164756 (Clint Byrum) /tmp/last_metadata is vulnerable to tmpfile races by arbitrary users
Updated .
