[PKG-Openstack-devel] Bug#765704: CVE-2014-7230 & CVE-2014-7231: Potential leak of passwords into log files.
Thomas Goirand
zigo at debian.org
Fri Oct 17 12:50:27 UTC 2014
Package: cinder
Version: 2014.1.3-3
Severity: important
Tags: security
Amrith Kumar from Tesora reported two vulnerabilities in the
processutils.execute() and strutils.mask_password() functions available
from oslo-incubator that are copied into each project's code. An
attacker with read access to the services' logs may obtain passwords
used as a parameter of a command that has failed (CVE-2014-7230) or when
mask_password did not mask passwords properly (CVE-2014-7231). All
Cinder, Nova and Trove setups are affected.
Note from package maintainer:
The fix here:
https://review.openstack.org/121382 (Cinder)
is already applied on 2014.1.3, and the fix here:
https://review.openstack.org/126665 (Cinder ssh_execute)
will be uploaded in 2014.1.3-4 which I'm currently preparing.
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list