group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1628031] Re: [OSSA-2017-001] CatchErrors leaks sensitive values in oslo.middleware (CVE-2017-2592)

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1628031@xxxxxxxxxxxxxxxxxx>
Date: Thu, 31 May 2018 00:43:46 -0000
Reply-to: Bug 1628031 <1628031@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package python-oslo.middleware -
3.8.0-2ubuntu1

---------------
python-oslo.middleware (3.8.0-2ubuntu1) xenial-security; urgency=medium

  * SECURITY UPDATE: Information disclosure in log file (LP: #1628031)
    - d/p/filter-token-data-out-of-catch_errors-middleware.patch:
      ensure sensitive token data is not written to log file.
    - CVE-2017-2592

 -- Corey Bryant <corey.bryant@xxxxxxxxxxxxx>  Thu, 10 May 2018 10:00:18
-0400

** Changed in: python-oslo.middleware (Ubuntu Xenial)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1628031

Title:
  [OSSA-2017-001] CatchErrors leaks sensitive values in oslo.middleware
  (CVE-2017-2592)

Status in keystonemiddleware:
  Invalid
Status in oslo.middleware:
  Fix Released
Status in oslo.utils:
  Invalid
Status in OpenStack Security Advisory:
  Fix Released
Status in python-oslo.middleware package in Ubuntu:
  Fix Released
Status in python-oslo.middleware source package in Xenial:
  Fix Released

Bug description:
  I had reported LP bug
  https://bugs.launchpad.net/keystonemiddleware/+bug/1627696 yesterday
  and I see that in cases where an error of this kind occurs the auth
  token used to place the rest call to neutron us logged as part of the
  stacktrace (which logs the headers including the token). I am not sure
  if this needs to be handled at the oslo_middleware layer or
  keystonemiddleware layer.

  Stacktrace from neutron:

  X-Auth-Token: gAAAAABX6NfMz4Lj4sYIDHu0eXr9oxymDrJTDOOrKztp0NElSiZcs9Umr-v8P-s8VP_lz_aVKPobfoj1ROP9X9amp8ACqwa4FNRvFX5IatzwmjAKR42AZZnuD4jxoJoC05iT-UKIY81gqHsOY8v7DbqTLSE2eOFwrFKZIMQBUDlDaeqwpce0LDp-dZrM2JIta9tOz99aOH5CShyu-ihMy3F87CN3cMdK5qHIr7oM1UiXc97zgzbDOTA
  2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors Traceback (most recent call last):
  2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/oslo_middleware/catch_errors.py", line 38, in __call__
  2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors response = req.get_response(self.application)
  2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1296, in send
  2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors application, catch_exc_info=False)
  2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1260, in

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1628031/+subscriptions