Debian Bug report logs -
#1034186
heat: CVE-2023-1625
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#1034186; Package src:heat.
(Mon, 10 Apr 2023 17:45:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>.
(Mon, 10 Apr 2023 17:45:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: heat
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for heat.
CVE-2023-1625[0]:
information leak in API
https://bugzilla.redhat.com/show_bug.cgi?id=2181621
https://review.opendev.org/c/openstack/heat/+/868166
https://github.com/openstack/heat/commit/1305a3152f75c6e62ec5094ea2bfc38f165204cf (20.0.0.0rc1)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-1625
https://www.cve.org/CVERecord?id=CVE-2023-1625
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 10 Apr 2023 18:54:10 GMT) (full text, mbox, link).
Message sent on
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1034186.
(Tue, 11 Apr 2023 08:54:02 GMT) (full text, mbox, link).
Message #12 received at 1034186-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1034186 in heat reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/services/heat/-/commit/1e3e60491856c1fadc7fdee07e989ec48b9ec139
------------------------------------------------------------------------
* CVE-2023-1625: information leak in API. Added upstream patch:
Honor-hidden-parameter-in-stack_environment_show-command.patch
(Closes: #1034186).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1034186
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 1034186-submitter@bugs.debian.org.
(Tue, 11 Apr 2023 08:54:02 GMT) (full text, mbox, link).
Message sent on
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1034186.
(Tue, 11 Apr 2023 09:09:03 GMT) (full text, mbox, link).
Message #17 received at 1034186-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1034186 in heat reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/services/heat/-/commit/adc5bcc80bf9445a5a6ba1845192bf333743fdc2
------------------------------------------------------------------------
* CVE-2023-1625: information leak in API: apply upstream patch
Honor 'hidden' parameter in 'stack environment show' command
(Closes: #1034186)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1034186
Message sent on
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1034186.
(Tue, 11 Apr 2023 09:09:04 GMT) (full text, mbox, link).
Message #20 received at 1034186-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1034186 in heat reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/services/heat/-/commit/3a4b4502cc2f6bc38a36fee0e009d696b5ea477c
------------------------------------------------------------------------
* CVE-2023-1625: information leak in API: apply upstream patch
Honor 'hidden' parameter in 'stack environment show' command
(Closes: #1034186)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1034186
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Tue, 11 Apr 2023 09:21:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Tue, 11 Apr 2023 09:21:03 GMT) (full text, mbox, link).
Message #25 received at 1034186-close@bugs.debian.org (full text, mbox, reply):
Source: heat
Source-Version: 1:19.0.0-2
Done: Thomas Goirand <zigo@debian.org>
We believe that the bug you reported is fixed in the latest version of
heat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1034186@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated heat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 Apr 2023 10:21:00 +0200
Source: heat
Architecture: source
Version: 1:19.0.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1034186
Changes:
heat (1:19.0.0-2) unstable; urgency=high
.
* CVE-2023-1625: information leak in API. Added upstream patch:
Honor-hidden-parameter-in-stack_environment_show-command.patch
(Closes: #1034186).
* Removed obsolete depends on lsb-base.
Checksums-Sha1:
8caeed91b3c56fd6659791ae15d0eabcdd7fabbb 4133 heat_19.0.0-2.dsc
224b7c5f5d1cec13bca142f302f23dc2f462cbf4 21404 heat_19.0.0-2.debian.tar.xz
df350bd4f62d056ae23e64e0a55f0d27c7dac5e2 19546 heat_19.0.0-2_amd64.buildinfo
Checksums-Sha256:
4dc06f438078a7a575147a63b92183610525992b3bc09421905d1192468db41d 4133 heat_19.0.0-2.dsc
88fe96d948b2f04fc4e400b2d0e5367dc63d38ce3bdbbce4290c384e041934fe 21404 heat_19.0.0-2.debian.tar.xz
e8fdc1c8e890adeeb8606c1f3d09af9231b86897511d42cbd322ac8a68c77f23 19546 heat_19.0.0-2_amd64.buildinfo
Files:
a99cbca06a7f3e18c4c3e34939024a77 4133 web optional heat_19.0.0-2.dsc
bf72dd074c0d4e04e406fcb4485acd0e 21404 web optional heat_19.0.0-2.debian.tar.xz
267e8b0d1a7025c50087ce1553d3da16 19546 web optional heat_19.0.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmQ1H4oACgkQ1BatFaxr
Q/4Fxw/9HApDSExCAg3Svph08cZAE+oFfqYy0dzCRldNSOUxL5CTXOFJzskeB0yK
gVT/Ykr4RYvnGX6UckOHujDJhVcDPABNY3ViFK3bLMkmvmv8zwznSt4/oxH0+EDa
3cSz9NfULpMRyVtp7WS5+XYLk7l+SWke/Z2kN8yZW8CC/LhAIxwoJVl67Ru/DjFl
5xvHPkb80dpvFMMTnXH8Vnhe1bX4uway2oK1kE9MyhC+NEjL2dHmp98gIxpsadNc
6p3fd/fMnH2C7/bTSXNMY+zoWZmHDe13virjlS9nWtGws8fxM681YCPEL3jFrjlt
Q9yXDoGt09Fn/DEif/QMRPajLiJzP39z8FYdxX+seIqX1TymLB0ohTRHzMTZE1ux
YWpaAz6hLfFQxxg/cma8G/chERM7tUyxgEforJkXIByVtRaRxS0xJ9gRkph/Xx0l
U50OtKMa3+xgLr7p6CFdNRJ4Sv4YhpuaE7iecyrWnnjZjcQw0hICdzLdyHo9cAi8
IqHp5JlSXvJHZz4ETAualmJtXst+PGXHeh+syfTQ/QxF8S65ylaOa4JfMP6VyIKA
aRXu/vIuUb99H2tmmkB2i322sIZQIs5Xq2yZpLA/izVLrkiiviukGosCrV1A++Cr
3SyUXn05ln2QfI+dRZlluHJEJkzLptjPIxONePNXdtdPGA3EKy0=
=Gv7y
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Apr 11 13:11:04 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon