[PKG-Openstack-devel] Bug#852742: python-oslo.middleware: CVE-2017-2592: CatchErrors leaks sensitive values in oslo.middleware
carnil at debian.org
Sat Jan 28 17:55:44 UTC 2017
On Fri, Jan 27, 2017 at 04:57:09PM +0100, Thomas Goirand wrote:
> On 01/26/2017 10:11 PM, Salvatore Bonaccorso wrote:
> > Source: python-oslo.middleware
> > Version: 3.19.0-2
> > Severity: grave
> > Tags: security patch upstream
> > Forwarded: https://launchpad.net/bugs/1628031
> > Hi,
> > the following vulnerability was published for python-oslo.middleware.
> > CVE-2017-2592:
> > CatchErrors leaks sensitive values in oslo.middleware
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > For further information see:
> >  https://security-tracker.debian.org/tracker/CVE-2017-2592
> >  https://launchpad.net/bugs/1628031
> > Regards,
> > Salvatore
> Hi Salvatore,
> Thanks for the notification.
> IMO this isn't a grave issue. To be able to read the logs, someone would
> need to have access to the server logs, meaning having privileged access
> to the server.
> I have never the less uploaded the upstream patch to Sid, and asked for
> an unblock to the release team (with 5 days delay).
Thanks for the quick followup. Apparently the upload was not accepted,
cf. no trace of it in
https://tracker.debian.org/pkg/python-oslo.middleware . Can you please
recheck, and reupload? Already appreciated, since we should have the
fix in stretch.
More information about the Openstack-devel