oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2013-2006 OpenStack keystone LDAP password disclosure in log files

From: Thierry Carrez <thierry () openstack org>
Date: Wed, 24 Apr 2013 11:12:38 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kurt Seifried wrote:

So as part of https://bugs.launchpad.net/ossn/+bug/1168252 we have 
CVE-2013-1977 for the insecure file permissions (devstack/etc.).
We also have the password being logged and exposed in the log
files:

https://review.openstack.org/#/c/26826/2/keystone/common/config.py

Please use CVE-2013-2006 for this issue (password being logged to
the log file).


This is tracked at https://bugs.launchpad.net/keystone/+bug/1172195
Note that it only affects DEBUG level logs.

- -- 
Thierry Carrez (ttx)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRd6IDAAoJEFB6+JAlsQQjPTgP/0O+/scukQmmSf4LZ1ORtabK
Y7i+9yGPlFmm0EYCgbsr67Wj64uzUnWpLxpWPX33BqHRv+qSJeIMpi6qQ7kpPqFa
bDO3PrVdgicOn3sthTmhjOk2xds1V9cv7J7KwibcWRGTsBzdz3/9QgIvNWsyTFY5
s4KDXdjArHx2/POOFnEc54AlQdOZmSySRiSbYYoz8r6BF8y88S2eqAnxmrPh3oUW
fIQGA+SUahgEbNOLVI6/WrrjSJ9mAs4+9mRO/g5oGbXe1Q48O7LRlDPchPpCqO1d
2MH+w3n6gC64WVZksogn6P9KiI0tkd1er2AN1waMMtlfuYVz2kz++UGflqmbZr1e
Y34GNA1DLnK7nYhxP00ii1F4UtdBWQfg2AXrdiCeGP9iZ5S5oX/XAFHYsIVi4Hsv
l+h6achLa5g/0ujccT0lukMtTLsQky4uakhaiO+m1ur1iQ14dKwunBIeTpjCcBUe
TL3pc3hNL1e0MQf8FQbBoVpzSPXi7faiS448M/aB1cOUPGmiMhm0sb8n2yC+AHmq
PXPCjdkxWZt4H9+/HVQm760rA3bkUcE74ONUiW9wQUtY0YMTFENAFlw+J/xYaBkn
uiLuRXplLmnZ4iNBiUVVFpuT9UQgNhLhD+o32p1m5MprX8GSwRBWAjV9fHZqHevf
r/bT692V4jdx9SFYaGgW
=7BAD
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: