News and announcements

heat-cfntools release 1.2.3

Written for heat-cfntools by Steve Baker on 2013-04-11

The heat development community would like to announce the release of heat-cfntools version 1.2.3. This release contains security fixes.

heat-cfntools contains the tools that can be installed on Heat provisioned cloud instances to implement portions of CloudFormation compatibility.

This release can be installed from the following locations:
http://tarballs.openstack.org/heat-cfntools/heat-cfntools-1.2.3.tar.gz
https://pypi.python.org/pypi/heat-cfntools/1.2.3

During normal development, improper handling of temporary files in
heat-cfntools was found and fixed. Heat-cfntools are a set of tools to
enable Heat templates to initialize and respond to configuration changes
via the orchestration layer. A local user could exploit predictable temp
file creation to make root overwrite a file, potentially by also using
local DNS cache poisoning, with a file of their choosing.

It is recommended that any users update these tools immediately. In
particular if you have downloaded older "HEAT-JEOS" images, you should
download new ones which have been built with the fixed heat-cfntools
embedded.

The following issues are fixed in this release:

#1166323 (Clint Byrum) Predictable /tmp filenames used in SourcesHandler
#1164756 (Clint Byrum) /tmp/last_metadata is vulnerable to tmpfile races by arbitrary users

Updated on 2013-04-11.