Debian Bug report logs -
#765704
CVE-2014-7230 & CVE-2014-7231: Potential leak of passwords into log files.
Reported by: Thomas Goirand <zigo@debian.org>
Date: Fri, 17 Oct 2014 12:51:25 UTC
Severity: important
Tags: security
Found in version 2014.1.3-3
Fixed in version cinder/2014.1.3-4
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#765704; Package cinder.
(Fri, 17 Oct 2014 12:51:30 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 17 Oct 2014 12:51:30 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cinder
Version: 2014.1.3-3
Severity: important
Tags: security
Amrith Kumar from Tesora reported two vulnerabilities in the
processutils.execute() and strutils.mask_password() functions available
from oslo-incubator that are copied into each project's code. An
attacker with read access to the services' logs may obtain passwords
used as a parameter of a command that has failed (CVE-2014-7230) or when
mask_password did not mask passwords properly (CVE-2014-7231). All
Cinder, Nova and Trove setups are affected.
Note from package maintainer:
The fix here:
https://review.openstack.org/121382 (Cinder)
is already applied on 2014.1.3, and the fix here:
https://review.openstack.org/126665 (Cinder ssh_execute)
will be uploaded in 2014.1.3-4 which I'm currently preparing.
Thomas Goirand (zigo)
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Fri, 17 Oct 2014 16:39:16 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Fri, 17 Oct 2014 16:39:16 GMT) (full text, mbox, link).
Message #10 received at 765704-close@bugs.debian.org (full text, mbox, reply):
Source: cinder
Source-Version: 2014.1.3-4
We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 765704@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated cinder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 Oct 2014 20:44:08 +0800
Source: cinder
Binary: python-cinder cinder-common cinder-api cinder-volume cinder-scheduler cinder-backup
Architecture: source all
Version: 2014.1.3-4
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
cinder-api - OpenStack block storage system - API server
cinder-backup - OpenStack block storage system - Backup server
cinder-common - OpenStack block storage system - common files
cinder-scheduler - OpenStack block storage system - Scheduler server
cinder-volume - OpenStack block storage system - Volume server
python-cinder - OpenStack block storage system - Python libraries
Closes: 765704
Changes:
cinder (2014.1.3-4) unstable; urgency=high
.
* CVE-2014-7230 & CVE-2014-7231: Potential leak of passwords into log files.
Applied upstream patch (Closes: #765704).
Checksums-Sha1:
6ba6460e187506ac497d3cd6b7096aaf0039c7e2 3447 cinder_2014.1.3-4.dsc
6b8ac68c3e9ccc5bfce7effb642e716949679b2f 385288 cinder_2014.1.3-4.debian.tar.xz
a3fe01b57cd8fafcc95a5bf35ca60cf99bc6beab 1265368 python-cinder_2014.1.3-4_all.deb
4a28743ad5710e35b0e3bb93a312b8e7dacbf22b 508356 cinder-common_2014.1.3-4_all.deb
aff1c839595122fb86c9a18b531d56a2dfa24a65 484852 cinder-api_2014.1.3-4_all.deb
71326d5ac11ea4129fe11f757747f31d321d3bf1 480610 cinder-volume_2014.1.3-4_all.deb
1f1dccd936785a71e5162c35e3a7fab1140cf400 468942 cinder-scheduler_2014.1.3-4_all.deb
f45a501a2460ceb5dc2d6aeebb8dd8771f000894 468624 cinder-backup_2014.1.3-4_all.deb
Checksums-Sha256:
b9bdc983892943da289ae1f8bb97417bbfc2af198f205a1384b52d76befbb0d6 3447 cinder_2014.1.3-4.dsc
3afc3675b7a7395dbdf6e5fa1299eb83ec0c4759c2057edaafa515ce7a1d255c 385288 cinder_2014.1.3-4.debian.tar.xz
8786058de7a546ddd65dde32d7cfdae3fd1e941a1ad01b96dad78950317782b2 1265368 python-cinder_2014.1.3-4_all.deb
53838e196f777de2cbc0a00fc3d9292f710032218716e9bdd69057950377a4e4 508356 cinder-common_2014.1.3-4_all.deb
7d706901ab8e987bc7334320e4b7fef7055fe5c2cea5720303cef785ac159690 484852 cinder-api_2014.1.3-4_all.deb
ad1110b1c74e30fd469f66f8b4009075788736d14d5d83c08dc637deff256658 480610 cinder-volume_2014.1.3-4_all.deb
f30708dc01cd55f28116987da6be5b114ad68e654ce37a3de57a780e2256d7b1 468942 cinder-scheduler_2014.1.3-4_all.deb
8d0f40dcceff21001e481b943b2dbc88222a4004a22033192a49207eeeb2adf0 468624 cinder-backup_2014.1.3-4_all.deb
Files:
eb6043aa7665b7d391b5d147d592dba0 3447 net extra cinder_2014.1.3-4.dsc
1c491e02e22e52630d57287d3eb15afa 385288 net extra cinder_2014.1.3-4.debian.tar.xz
d1e5272fc348e8a9d84c9d46d3d350df 1265368 python extra python-cinder_2014.1.3-4_all.deb
7c2fe856e3df6b93e16b5371d11e6c9e 508356 net extra cinder-common_2014.1.3-4_all.deb
4dcb5ccc719343f9b62fffb68c3bca83 484852 net extra cinder-api_2014.1.3-4_all.deb
8ca15d74cc6f3309d65b8042ffbeac43 480610 net extra cinder-volume_2014.1.3-4_all.deb
9e188a0943313106f59ddaed3a6d9828 468942 net extra cinder-scheduler_2014.1.3-4_all.deb
f8e095867a4446dc7cf6c707fe9c9a72 468624 net extra cinder-backup_2014.1.3-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUQUDkAAoJENQWrRWsa0P+kagQAJWeWn/XIt0Xmu7Y8cLYfp3f
BUZLJTw5Xzxo3IPQtRseSMTF/cQ0k84y9l7lu/P4hgMKAOp/iBR6bwuXi6GXixaf
pa78AfVdED/cGUeAwoz0k/jnykS3xhQXBb2OeolqGYVIQDbwuMj/UxQf+jG1abEo
A57UXKR0Ro/yUIyjd57tlcf8ZVMf1xG6119/8giEFMp0SmqjtymLfCy6HwMC7eOO
w4nWdkFn7Xr1nZHK8z0Af8QibPLB3NsmMxVi2hIFMW1dGp+nDCDKIfDLf4+jJXs7
nnzoszpZpMXfXZ6ayS4q9hBIpe08i996u0pi+LyBMQsm65T7+hgJdZPZQHSKaXw+
VPqPOMkHes0fVa1ENozgbrxJ3wQ3ipJm9SFy1J6lfS+v2C/KOQqeLfNXVhxkR1MY
A/YcItQHRSxFJMw5CuKsausLEK0wQWcFCBvzE08AG/3HluEGNl+GLPqXwhhhSuNz
aS8S49gVj1Ti1hj4ke2VAMUWHOrK3LKLfjIrOu0zy8G01nz3M3ljQ2NPFRoUcXGs
yUPxecH9hSJEI0COImzg/W3LTWinUKkVeYl7A7ynF4GTHMfdFRMXEOlIMtVJE3Sx
oErsBoVyNOqeLjP0XoJGhMeExUIq/E86lmsCrE3OB4nOHvJ5rl9ZK7hGLKyzfN8f
y6eMVBGC3nxZ7sUoDVE8
=9fVX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 18 Dec 2014 07:25:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:17:37 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon