[PKG-Openstack-devel] Bug#765714: CVE-2014-7230 & CVE-2014-7231: Potential leak of passwords into log files.

Thomas Goirand zigo at debian.org
Fri Oct 17 13:08:48 UTC 2014


Package: nova
Version: 2014.1.3-4
Severity: important
Tags: security

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the
processutils.execute() and strutils.mask_password() functions available
from oslo-incubator that are copied into each project's code. An
attacker with read access to the services' logs may obtain passwords
used as a parameter of a command that has failed (CVE-2014-7230) or when
mask_password did not mask passwords properly (CVE-2014-7231). All
Cinder, Nova and Trove setups are affected.

This patch:
https://review.openstack.org/121096 (Nova)

seems to be already applied.

This one:
https://review.openstack.org/126699 (Nova   ssh_execute)

will be included in the next upload: nova 2014.1.3-5.



More information about the Openstack-devel mailing list