Debian Bug report logs -
#730227
ceilometer: CVE-2013-6384: Ceilometer log contains DB password in plain text
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 22 Nov 2013 21:18:02 UTC
Severity: important
Tags: security, upstream
Fixed in version ceilometer/2013.2-4
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#730227; Package ceilometer.
(Fri, 22 Nov 2013 21:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 22 Nov 2013 21:18:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ceilometer
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for ceilometer.
CVE-2013-6384[0]:
Ceilometer log contains DB password in plain text
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6384
http://security-tracker.debian.org/tracker/CVE-2013-6384
[1] https://bugs.launchpad.net/ceilometer/+bug/1244476
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Wed, 04 Dec 2013 12:21:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 04 Dec 2013 12:21:14 GMT) (full text, mbox, link).
Message #10 received at 730227-close@bugs.debian.org (full text, mbox, reply):
Source: ceilometer
Source-Version: 2013.2-4
We believe that the bug you reported is fixed in the latest version of
ceilometer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 730227@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated ceilometer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 04 Dec 2013 19:41:05 +0800
Source: ceilometer
Binary: python-ceilometer ceilometer-common ceilometer-collector ceilometer-api ceilometer-agent-compute ceilometer-agent-central ceilometer-alarm-evaluator ceilometer-alarm-notifier
Architecture: source all
Version: 2013.2-4
Distribution: unstable
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
ceilometer-agent-central - OpenStack efficient metering counters system - central agent
ceilometer-agent-compute - OpenStack efficient metering counters system - compute agent
ceilometer-alarm-evaluator - OpenStack efficient metering counters system - alarm evaluator
ceilometer-alarm-notifier - OpenStack efficient metering counters system - alarm notifier
ceilometer-api - OpenStack efficient metering counters system (API service)
ceilometer-collector - OpenStack efficient metering counters system - collector service
ceilometer-common - OpenStack efficient metering counters system - common files
python-ceilometer - OpenStack efficient metering counters system - Python libraries
Closes: 728771 729774 730227 730874
Changes:
ceilometer (2013.2-4) unstable; urgency=low
.
* CVE-2013-6384: applied upstream patch mongodb, db2: do not print full
URL in logs (Closes: #730227).
* Switches from msgpack-python to python-msgpack in dependencies, as the
package has been renamed (Closes: #730874).
* Updates some debconf translations, with warm thanks to:
- French, Julien Patriarca <leatherface@debian.org> (Closes: #728771).
- Russian, Yuri Kozlov <yuray@komyakino.ru> (Closes: #729774).
Checksums-Sha1:
b657713b6bbd05b8e23bb5e59a679164c05e1488 3837 ceilometer_2013.2-4.dsc
e58d6a542d4e7a3991ef73df75483021dc7dc9e3 21329 ceilometer_2013.2-4.debian.tar.gz
e6e94544f2455adc8d9e26c9ef2891a777e59435 185654 python-ceilometer_2013.2-4_all.deb
93d650c65632736153e79deed83d50c02b94d059 20574 ceilometer-common_2013.2-4_all.deb
806644ceea484b2d58eb1aafc84f1e56c2e26de0 6796 ceilometer-collector_2013.2-4_all.deb
870f5a19493cc30acbcb2076183c150ac6a29cab 18174 ceilometer-api_2013.2-4_all.deb
3a3f7fa0b8213d7e8d2da0cc47c00a148d2e3e6c 6818 ceilometer-agent-compute_2013.2-4_all.deb
956b5a4c7d6c5a43ce9325ae6a1aae7407451447 6818 ceilometer-agent-central_2013.2-4_all.deb
a2292ae6c345839805364d92340cba8afc7db02f 6464 ceilometer-alarm-evaluator_2013.2-4_all.deb
7d268fd0698d01ad8956b3d5416e017f0269a5b6 6448 ceilometer-alarm-notifier_2013.2-4_all.deb
Checksums-Sha256:
06a637f5702b2626fc77f20010a5303474c1772bbd918f32f6a2a350bf0ff04f 3837 ceilometer_2013.2-4.dsc
c31beea1fea03668b8841569c40047731fba05dd407be19ce781fa5e1df28734 21329 ceilometer_2013.2-4.debian.tar.gz
c765aefbb63b304791bf403897a0204cc566ad53a98e8f9bdcc82627e8db37d3 185654 python-ceilometer_2013.2-4_all.deb
58665bdadf73dd4d165b244cd44d2c152248f416a8a7a58d7c3aa95a66ac0868 20574 ceilometer-common_2013.2-4_all.deb
fdf2a8d60fa922135920d74696740dae47a5b57d0f55f8674455b568b327efce 6796 ceilometer-collector_2013.2-4_all.deb
c00b3e03b56c026498c23b44a4b3ba6e79591d8b9962b77f33382d2a06a8aa6e 18174 ceilometer-api_2013.2-4_all.deb
fe0dd47cc38d35691b029ada02fdb23185ca6ec78d7d0f858e909509201228b1 6818 ceilometer-agent-compute_2013.2-4_all.deb
140fb56efe26300e0d8fcf3469c7720c24d1b4874b0dcdd7c2465c7c80b8d2a5 6818 ceilometer-agent-central_2013.2-4_all.deb
2766a4a9e64619e0b55e0075026c9c6be851553721be0e65e71888c294b343e8 6464 ceilometer-alarm-evaluator_2013.2-4_all.deb
7261bffbc0f20bf9f8e8f222b5e6c834fa932a8c0455755f0ca33056e9478910 6448 ceilometer-alarm-notifier_2013.2-4_all.deb
Files:
40c2ee79f72942aa342565986c686232 3837 web optional ceilometer_2013.2-4.dsc
5878008e6450917dacf63cd4ab068658 21329 web optional ceilometer_2013.2-4.debian.tar.gz
c5d737f021ee996acca2526d9d80b5ce 185654 python optional python-ceilometer_2013.2-4_all.deb
6677a717dfebd83fa83dde654bd44318 20574 web optional ceilometer-common_2013.2-4_all.deb
bed089d1e834037ce6e331739f03e424 6796 web optional ceilometer-collector_2013.2-4_all.deb
89cef0f597b172e09ddd8f377ff6468e 18174 web optional ceilometer-api_2013.2-4_all.deb
5b14e824ce9937f7f3cec3cf14a22a80 6818 web optional ceilometer-agent-compute_2013.2-4_all.deb
01ee4e6d2d8aa68ceb67ab7a5a007374 6818 web optional ceilometer-agent-central_2013.2-4_all.deb
37feaf21d2834db53637b99b520647a1 6464 web optional ceilometer-alarm-evaluator_2013.2-4_all.deb
579edf32993d3efd1a92a7cc9953bc89 6448 web optional ceilometer-alarm-notifier_2013.2-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCAAGBQJSnxxPAAoJENQWrRWsa0P+bfwP/jSOkkWc1zB0fhHZs6myTXWa
fyKaz14cjd9BqgGjwphsBu13/oWqwoKwtMqymt+i6iivETintIkw6Fm8x02sm6n6
IPi45rNYWMET9G4suTLdQwD5GlmCZpIDsLuXZsWtowfXvMzsVYpK76uDVjEgGhTK
K8goEB0us5SxS7m0ZHMRJNKhUyn3J7xAeKav70fGsdoM58iMtcMBlxbAjc1cp0b6
zGCXbAV1ZjFtG6g56H8zCDJWPhVj3syAxHA7PhLILy+PP37W1DyZQMCgXj+f/k+e
uZUCGfj0e7E9vwZ8uG+TbqBZRiuD6FoLDEo3VDpInnvQVJy6COf/VCif73BbgDpg
ZFp31PpPwLV+n+csYpjhXyoN0hqWKa8uq5JJaz3IVrnPAUhUa+fYj8cW+HMP+/3t
Rwx0UT3eo9huTuU+ZC4INagV5DNVJysTOUpgHG4jKrAyjmgzlVNcRJpyd0P9HB6f
T2WdT9fv/4zWouyxV2ldc8D6svjDy4Eqa97DItJ+tyn5NnA/64P/XxLG+30I8qQv
xG7Mgh4Dc5kMwUzin2HrD52e6QmpfLh4ZfhZn/pujZaBnsyeSKaAmcjX9TrM5w3M
oWB/fkElFt2NabBPANCuy4vuQV9vD7m0kksdIIC3V05U14gtXugPY4UgurO7K1L1
OD4IuS3u4akBdUMw5L0w
=Xsma
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 20 Mar 2014 07:28:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:34:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon