[PKG-Openstack-devel] Bug#852742: python-oslo.middleware: CVE-2017-2592: CatchErrors leaks sensitive values in oslo.middleware

Thomas Goirand zigo at debian.org
Fri Jan 27 15:57:09 UTC 2017


On 01/26/2017 10:11 PM, Salvatore Bonaccorso wrote:
> Source: python-oslo.middleware
> Version: 3.19.0-2
> Severity: grave
> Tags: security patch upstream
> Forwarded: https://launchpad.net/bugs/1628031
> 
> Hi,
> 
> the following vulnerability was published for python-oslo.middleware.
> 
> CVE-2017-2592[0]:
> CatchErrors leaks sensitive values in oslo.middleware
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-2592
> [1] https://launchpad.net/bugs/1628031
> 
> Regards,
> Salvatore

Hi Salvatore,

Thanks for the notification.

IMO this isn't a grave issue. To be able to read the logs, someone would
need to have access to the server logs, meaning having privileged access
to the server.

I have never the less uploaded the upstream patch to Sid, and asked for
an unblock to the release team (with 5 days delay).

Cheers,

Thomas Goirand (zigo)



More information about the Openstack-devel mailing list