On 03/26/2011 09:38 PM, Giuseppe Iuculano wrote:
Under these conditions, there's no way something/someone malicious can
connect to DTC-Xen and do the kind of exploit described in this bug.
If someone wants to change the behavior of DTC-Xen and allow connections
and control from VPS *users*, then
On 03/26/2011 02:00 PM, Thomas Goirand wrote:
> I explained it already. The only thing that is supposed to connect to
> the SOAP server of DTC-Xen is the DTC panel. DTC-Xen hasn't been
I don't understand what do you mean. If I understood this bugs
correctly, there is a SOAP server that accepts inc
On 03/26/2011 07:55 PM, Giuseppe Iuculano wrote:
Hi,
Now, I can see that adding further checking on the Python dtc-xen SOAP
server might enhance security as well, so I will write such checks
anyway, and make it available in the next version of DTC-Xen.
Wont fix
Could you please explain why
Hi,
> Now, I can see that adding further checking on the Python dtc-xen SOAP
> server might enhance security as well, so I will write such checks
> anyway, and make it available in the next version of DTC-Xen.
> Wont fix
Could you please explain why this is wontfix?
I think this is a security is
On 02/01/2011 04:33 PM, Bastian Blank wrote:
> The daemon authenticates users, explicitely, not a given web frontend.
> So it is designed to be reacheable by users.
The author is myself, so I know what I'm talking about. DTC-Xen really
is designed for its web front-end, and checks should be made t
On Tue, Feb 01, 2011 at 02:20:14PM +0800, Thomas Goirand wrote:
> If you really think that there's some root exploit in any package, you
> should contact the security team AND the upstream author (myself in this
> case) *privately* to warn them about the issue, so a fix can be
> published before di
Hi Bastian,
First of all, I'm really surprised to see the way you are submitting
this bug report. I normally send a "thank you for this bug report" as an
introduction to each bug sent against my package, but not in this case.
It seems that you believe there's root exploits here, and yet, you are
s
Package: dtc-xen
Version: 0.5.13-3
Severity: grave
Tags: security
dtc-xen includes several command executions as root that uses unchecked
user input in dtc-soap-server.
| cmd = "/usr/sbin/dtc_kill_vps_disk %s %s" % (vpsname, imagetype)
| output = commands.getstatusoutput(cmd)
"imagetype" is the
8 matches
Mail list logo
