← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #23495

[Bug 1377981] Re: Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/126592
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=d5efe6703297761215907eeaf703cec040e6ad25
Submitter: Jenkins
Branch:    proposed/juno

commit d5efe6703297761215907eeaf703cec040e6ad25
Author: Tristan Cacqueray <tristan.cacqueray@xxxxxxxxxxxx>
Date:   Fri Oct 3 19:57:01 2014 +0000

    Sync latest processutils from oslo-incubator
    
    An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed
    to address ssh_execute(). This change set addresses ssh_execute.
    
    ------------------------------------------------
    
    oslo-incubator head:
    
    commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4
    Merge: 9f5c700 2a130bf
    Author: Jenkins <jenkins@xxxxxxxxxxxxxxxxxxxx>
    Date:   Mon Sep 29 23:12:14 2014 +0000
    
        Merge "Script to list unreleased changes in all oslo projects"
    
    -----------------------------------------------
    
    The sync pulls in the following changes (newest to oldest):
    
    6a60f842 - Mask passwords in exceptions and error messages (SSH)
    
    -----------------------------------------------
    
    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981
    (cherry picked from commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567)


** Changed in: cinder
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1377981

Title:
  Missing fix for ssh_execute (Exceptions thrown may contain passwords)
  (CVE-2014-7230, CVE-2014-7231)

Status in Cinder:
  Fix Released
Status in Cinder icehouse series:
  In Progress
Status in OpenStack Compute (Nova):
  Fix Committed
Status in OpenStack Compute (nova) icehouse series:
  New
Status in The Oslo library incubator:
  Fix Released
Status in oslo-incubator icehouse series:
  New
Status in OpenStack Security Advisories:
  In Progress

Bug description:
  Former bugs:
    https://bugs.launchpad.net/ossa/+bug/1343604
    https://bugs.launchpad.net/ossa/+bug/1345233

  The ssh_execute method is still affected in Cinder and Nova Icehouse release.
  It is prone to password leak if:
  - passwords are used on the command line
  - execution fail
  - calling code catch and log the exception

  The missing fix from oslo-incubator to be merged is:
  6a60f84258c2be3391541dbe02e30b8e836f6c22

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1377981/+subscriptions

References

  Thread PreviousDate PreviousThread Next