yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1377981] [NEW] Missing fix for ssh_execute (Exceptions thrown may contain passwords)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tristan.cacqueray@xxxxxxxxxxxx>
Date: Mon, 06 Oct 2014 14:48:10 -0000
Reply-to: Bug 1377981 <1377981@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Former bugs:
  https://bugs.launchpad.net/ossa/+bug/1343604
  https://bugs.launchpad.net/ossa/+bug/1345233

The ssh_execute method is still affected in Cinder and Nova Icehouse release.
It is prone to password leak if:
- passwords are used on the command line
- execution fail
- calling code catch and log the exception

The missing fix from oslo-incubator to be merged is:
6a60f84258c2be3391541dbe02e30b8e836f6c22

** Affects: cinder
     Importance: Undecided
         Status: In Progress

** Affects: cinder/icehouse
     Importance: Undecided
         Status: New

** Affects: nova
     Importance: Undecided
         Status: In Progress

** Affects: nova/icehouse
     Importance: Undecided
         Status: New

** Affects: oslo-incubator
     Importance: Undecided
         Status: Fix Released

** Affects: oslo-incubator/icehouse
     Importance: Undecided
         Status: New

** Affects: ossa
     Importance: Undecided
     Assignee: Tristan Cacqueray (tristan-cacqueray)
         Status: In Progress

** Also affects: nova
   Importance: Undecided
       Status: New

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
     Assignee: (unassigned) => Tristan Cacqueray (tristan-cacqueray)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1377981

Title:
  Missing fix for ssh_execute (Exceptions thrown may contain passwords)

Status in Cinder:
  In Progress
Status in Cinder icehouse series:
  New
Status in OpenStack Compute (Nova):
  In Progress
Status in OpenStack Compute (nova) icehouse series:
  New
Status in The Oslo library incubator:
  Fix Released
Status in oslo-incubator icehouse series:
  New
Status in OpenStack Security Advisories:
  In Progress

Bug description:
  Former bugs:
    https://bugs.launchpad.net/ossa/+bug/1343604
    https://bugs.launchpad.net/ossa/+bug/1345233

  The ssh_execute method is still affected in Cinder and Nova Icehouse release.
  It is prone to password leak if:
  - passwords are used on the command line
  - execution fail
  - calling code catch and log the exception

  The missing fix from oslo-incubator to be merged is:
  6a60f84258c2be3391541dbe02e30b8e836f6c22

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1377981/+subscriptions

Follow ups

[Bug 1377981] Re: [OSSA 2014-036] Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)
From: Eric Harney, 2015-12-04
[Bug 1377981] Re: [OSSA 2014-036] Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)
From: Alan Pevec, 2015-03-13
[Bug 1377981] Re: [OSSA 2014-036] Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)
From: Tristan Cacqueray, 2014-10-15
[Bug 1377981] Re: Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)
From: OpenStack Infra, 2014-10-08
[Bug 1377981] Re: Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)
From: OpenStack Infra, 2014-10-07
[Bug 1377981] Re: Missing fix for ssh_execute (Exceptions thrown may contain passwords)
From: Thierry Carrez, 2014-10-06
[Bug 1377981] [NEW] Missing fix for ssh_execute (Exceptions thrown may contain passwords)
From: Tristan Cacqueray, 2014-10-06

References

[Bug 1377981] [NEW] Missing fix for ssh_execute (Exceptions thrown may contain passwords)
From: Tristan Cacqueray, 2014-10-06