oss-sec mailing list archives
Re: Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Mon, 06 Oct 2014 09:11:11 -0400
On 29/09/14 10:39 PM, cve-assign () mitre org wrote:
Is this a remaining vulnerability in Cinder 2013.2.4 and possibly other products? If so, then we will assign another CVE ID.
The ssh_execute method is indeed prone to password leak if: - passwords are used on the command line - execution fail - calling code catch and log the exception So far investigations shows that ssh_execute usage does not contain any passwords but we can't guarantee Cinder and Nova 2013.2.4 releases are not affected as the vulnerable code is still there so it may be safer to considered these releases affected. Apologizes for the confusion, -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove Tristan Cacqueray (Oct 06)