oss-sec mailing list archives
Re: CVE-2013-2006 OpenStack keystone LDAP password disclosure in log files
From: Thierry Carrez <thierry () openstack org>
Date: Wed, 24 Apr 2013 11:12:38 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kurt Seifried wrote:
So as part of https://bugs.launchpad.net/ossn/+bug/1168252 we have CVE-2013-1977 for the insecure file permissions (devstack/etc.). We also have the password being logged and exposed in the log files: https://review.openstack.org/#/c/26826/2/keystone/common/config.py Please use CVE-2013-2006 for this issue (password being logged to the log file).
This is tracked at https://bugs.launchpad.net/keystone/+bug/1172195 Note that it only affects DEBUG level logs. - -- Thierry Carrez (ttx) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRd6IDAAoJEFB6+JAlsQQjPTgP/0O+/scukQmmSf4LZ1ORtabK Y7i+9yGPlFmm0EYCgbsr67Wj64uzUnWpLxpWPX33BqHRv+qSJeIMpi6qQ7kpPqFa bDO3PrVdgicOn3sthTmhjOk2xds1V9cv7J7KwibcWRGTsBzdz3/9QgIvNWsyTFY5 s4KDXdjArHx2/POOFnEc54AlQdOZmSySRiSbYYoz8r6BF8y88S2eqAnxmrPh3oUW fIQGA+SUahgEbNOLVI6/WrrjSJ9mAs4+9mRO/g5oGbXe1Q48O7LRlDPchPpCqO1d 2MH+w3n6gC64WVZksogn6P9KiI0tkd1er2AN1waMMtlfuYVz2kz++UGflqmbZr1e Y34GNA1DLnK7nYhxP00ii1F4UtdBWQfg2AXrdiCeGP9iZ5S5oX/XAFHYsIVi4Hsv l+h6achLa5g/0ujccT0lukMtTLsQky4uakhaiO+m1ur1iQ14dKwunBIeTpjCcBUe TL3pc3hNL1e0MQf8FQbBoVpzSPXi7faiS448M/aB1cOUPGmiMhm0sb8n2yC+AHmq PXPCjdkxWZt4H9+/HVQm760rA3bkUcE74ONUiW9wQUtY0YMTFENAFlw+J/xYaBkn uiLuRXplLmnZ4iNBiUVVFpuT9UQgNhLhD+o32p1m5MprX8GSwRBWAjV9fHZqHevf r/bT692V4jdx9SFYaGgW =7BAD -----END PGP SIGNATURE-----
Current thread:
- CVE-2013-2006 OpenStack keystone LDAP password disclosure in log files Kurt Seifried (Apr 23)
- Re: CVE-2013-2006 OpenStack keystone LDAP password disclosure in log files Thierry Carrez (Apr 24)