Debian Bug report logs -
#852742
python-oslo.middleware: CVE-2017-2592: CatchErrors leaks sensitive values in oslo.middleware
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 26 Jan 2017 21:15:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version python-oslo.middleware/3.19.0-2
Fixed in version python-oslo.middleware/3.19.0-3
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://launchpad.net/bugs/1628031
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#852742; Package src:python-oslo.middleware.
(Thu, 26 Jan 2017 21:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Thu, 26 Jan 2017 21:15:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-oslo.middleware
Version: 3.19.0-2
Severity: grave
Tags: security patch upstream
Forwarded: https://launchpad.net/bugs/1628031
Hi,
the following vulnerability was published for python-oslo.middleware.
CVE-2017-2592[0]:
CatchErrors leaks sensitive values in oslo.middleware
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2592
[1] https://launchpad.net/bugs/1628031
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#852742; Package src:python-oslo.middleware.
(Fri, 27 Jan 2017 16:00:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 27 Jan 2017 16:00:15 GMT) (full text, mbox, link).
Message #10 received at 852742@bugs.debian.org (full text, mbox, reply):
On 01/26/2017 10:11 PM, Salvatore Bonaccorso wrote:
> Source: python-oslo.middleware
> Version: 3.19.0-2
> Severity: grave
> Tags: security patch upstream
> Forwarded: https://launchpad.net/bugs/1628031
>
> Hi,
>
> the following vulnerability was published for python-oslo.middleware.
>
> CVE-2017-2592[0]:
> CatchErrors leaks sensitive values in oslo.middleware
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-2592
> [1] https://launchpad.net/bugs/1628031
>
> Regards,
> Salvatore
Hi Salvatore,
Thanks for the notification.
IMO this isn't a grave issue. To be able to read the logs, someone would
need to have access to the server logs, meaning having privileged access
to the server.
I have never the less uploaded the upstream patch to Sid, and asked for
an unblock to the release team (with 5 days delay).
Cheers,
Thomas Goirand (zigo)
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#852742; Package src:python-oslo.middleware.
(Sat, 28 Jan 2017 17:57:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Sat, 28 Jan 2017 17:57:11 GMT) (full text, mbox, link).
Message #15 received at 852742@bugs.debian.org (full text, mbox, reply):
Hi Thomas,
On Fri, Jan 27, 2017 at 04:57:09PM +0100, Thomas Goirand wrote:
> On 01/26/2017 10:11 PM, Salvatore Bonaccorso wrote:
> > Source: python-oslo.middleware
> > Version: 3.19.0-2
> > Severity: grave
> > Tags: security patch upstream
> > Forwarded: https://launchpad.net/bugs/1628031
> >
> > Hi,
> >
> > the following vulnerability was published for python-oslo.middleware.
> >
> > CVE-2017-2592[0]:
> > CatchErrors leaks sensitive values in oslo.middleware
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2017-2592
> > [1] https://launchpad.net/bugs/1628031
> >
> > Regards,
> > Salvatore
>
> Hi Salvatore,
>
> Thanks for the notification.
>
> IMO this isn't a grave issue. To be able to read the logs, someone would
> need to have access to the server logs, meaning having privileged access
> to the server.
>
> I have never the less uploaded the upstream patch to Sid, and asked for
> an unblock to the release team (with 5 days delay).
Thanks for the quick followup. Apparently the upload was not accepted,
cf. no trace of it in
https://tracker.debian.org/pkg/python-oslo.middleware . Can you please
recheck, and reupload? Already appreciated, since we should have the
fix in stretch.
Regards,
Salvatore
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Tue, 31 Jan 2017 08:57:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 31 Jan 2017 08:57:03 GMT) (full text, mbox, link).
Message #20 received at 852742-close@bugs.debian.org (full text, mbox, reply):
Source: python-oslo.middleware
Source-Version: 3.19.0-3
We believe that the bug you reported is fixed in the latest version of
python-oslo.middleware, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 852742@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-oslo.middleware package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 27 Jan 2017 16:34:33 +0100
Source: python-oslo.middleware
Binary: python-oslo.middleware python3-oslo.middleware python-oslo.middleware-doc
Architecture: source all
Version: 3.19.0-3
Distribution: unstable
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
python-oslo.middleware - various WSGI middleware components for OpenStack - Python 2.x
python-oslo.middleware-doc - various WSGI middleware components for OpenStack - doc
python3-oslo.middleware - various WSGI middleware components for OpenStack - Python 3.x
Closes: 852742
Changes:
python-oslo.middleware (3.19.0-3) unstable; urgency=medium
.
[ Ondřej Nový ]
* Bumped debhelper compat version to 10
.
[ Thomas Goirand ]
* CVE-2017-2592: CatchErrors leaks sensitive values in oslo.middleware.
Applied upstream patch (Closes: #852742).
Checksums-Sha1:
ea9c4b4ccd945c5477725f73cf67954aff711025 3380 python-oslo.middleware_3.19.0-3.dsc
0f9afd06021675a5c8c67d259720d75f3e751c68 5428 python-oslo.middleware_3.19.0-3.debian.tar.xz
ed1eafef08c7ad158775b41461f821da7a7c697e 36980 python-oslo.middleware-doc_3.19.0-3_all.deb
a80a457d6639567b8c10c56ae2b0cb473f38eccd 27322 python-oslo.middleware_3.19.0-3_all.deb
bb60bdc1878b79b1787857fd5c849c7e396fd7d1 12257 python-oslo.middleware_3.19.0-3_amd64.buildinfo
6280964de979c240d9147b6987e3c05e72f7b88a 27414 python3-oslo.middleware_3.19.0-3_all.deb
Checksums-Sha256:
732030ca933f6da44fdba7107e69b29ac837a9f7567ffd4e74e10b1e831b9a48 3380 python-oslo.middleware_3.19.0-3.dsc
2eff6dfcb4e325ff2fc3f14204a1306173468df0a4ece5a003a0f5b18727a844 5428 python-oslo.middleware_3.19.0-3.debian.tar.xz
2d03ff1af3bc6408af88a46ff4597d7b96f34bf76bbb5a729d511caa0d07b232 36980 python-oslo.middleware-doc_3.19.0-3_all.deb
16862b72cad42ae862019334a5ef7a922c3caa314e98bac0908e14ea25aeb0d2 27322 python-oslo.middleware_3.19.0-3_all.deb
ea893a02e30c97aefe6b8dc10a1cef684531a7a0b9e235ec61aca8faf04cde00 12257 python-oslo.middleware_3.19.0-3_amd64.buildinfo
f9c824a16e4b832cbe7f257f79ebd08516ac2d0d8e3365552a46272513c0e0cd 27414 python3-oslo.middleware_3.19.0-3_all.deb
Files:
fab9cb3d3311c53abcedb7c097c1dc82 3380 python optional python-oslo.middleware_3.19.0-3.dsc
fa1a411c14d659b00fca297aa2260b2a 5428 python optional python-oslo.middleware_3.19.0-3.debian.tar.xz
fb99517a06242be7832d81a6333756ba 36980 doc optional python-oslo.middleware-doc_3.19.0-3_all.deb
1f872d36a8698578c3a349939926d9c2 27322 python optional python-oslo.middleware_3.19.0-3_all.deb
894723e24ea0ee76f4b2a5f708bdcb00 12257 python optional python-oslo.middleware_3.19.0-3_amd64.buildinfo
4cdf8c511f95a0748b380e689c8cf7ea 27414 python optional python3-oslo.middleware_3.19.0-3_all.deb
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAliLa4MQHHppZ29AZGVi
aWFuLm9yZwAKCRDUFq0VrGtD/qtTD/0YlRnBIqKWPjHrywE5i1Pi/7pSzp/eFOlr
7EtN2rYSmWjNWWgt+mtNho8KJ6ateJDC0FhcDDAG3BwbH1PROl/D4XYbKN9XD28H
AIv1pAqrnghJZZANjvQlMR3NTX4ZtPZ2KQmVqJ/VbdJ02NjjD6Xt1TP/hGNzh/1H
AvpAxB9DTblUhud4kq/sz+D1gahQwW5fT6uhLBgZ2FFL82yQxSrMOxwAK6bBSN5D
ex2tEbOi2aUpKSl9DO4jTsHIpB+lL5aYhMHm0KQ8MrjCGdm230j57SFljwU+QLEj
1HGhSLh8e5PSlKwsWX+mJs6amaLFwp7XCz35p2TdRPgVjuCt+UYdRUGZjv0MLMhE
HCbdJqTax+3xMmjNH+TlvR48ou14oF53VEkOj2w1jEk2VXlJBjcMvGWSckD2oLLk
ILZ4VFXIvE79CR57a5np+ATkWWTks6+fEogi3ygCxItz6zMKjl2fA87eWRureRSU
4UYPGTp+eLF0kNblDVdNSsjBJo0ew7t8O+khWQEKk6vGW8WQwRMdxgNw9sSD7UN/
ndlZFSPlHK8e0g69RBFlhdxcOmdWZrWfAcWiGNbY40wpsx88m8fNZqUIdBKf8QgP
W5nAfAeDDionFhchBxxaQ5A+xoLb6Be13hODr7oAYgPj/5609nPWsFgmzrX1+YrK
4f3R6ttBrA==
=+d/3
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 06 Mar 2017 07:28:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:08:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon