← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1345233] Re: Make the checks in strutils.mask_password more secure (CVE-2014-7231)

 

** Also affects: nova
   Importance: Undecided
       Status: New

** Changed in: nova
       Status: New => Invalid

** Also affects: nova/havana
   Importance: Undecided
       Status: New

** Also affects: nova/juno
   Importance: Undecided
       Status: New

** Also affects: nova/icehouse
   Importance: Undecided
       Status: New

** No longer affects: nova/juno

** Changed in: nova/havana
       Status: New => Fix Committed

** Changed in: nova/icehouse
       Status: New => Fix Committed

** Changed in: nova/icehouse
    Milestone: None => 2014.1.5

** Changed in: nova/havana
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1345233

Title:
  Make the checks in strutils.mask_password more secure (CVE-2014-7231)

Status in OpenStack Compute (Nova):
  Invalid
Status in OpenStack Compute (nova) havana series:
  Fix Released
Status in OpenStack Compute (nova) icehouse series:
  Fix Committed
Status in Oslo utility library:
  Fix Released

Bug description:
  Relates to findings while fixing
  https://bugs.launchpad.net/ossa/+bug/1343604

  mask_password() needs to be more robust and catch many more common
  formats of strings that could include passwords.

  An example is that it does not catch something like '--password=top-
  secret' but does catch '--password="top-secret"'. See below; the
  logged messages are being generated by using mask_password().

  /usr/sbin/mysqld --password=top-secret

  2014-07-19 18:35:01.415 20588 ERROR openstack.common.processutils [-]
  Running cmd (subprocess): /usr/sbin/mysqld --password=secret

  They did catch

  /usr/sbin/mysqld --password="top-secret"

  2014-07-19 18:35:48.686 20605 ERROR openstack.common.processutils [-]
  Running cmd (subprocess): /usr/sbin/mysqld --password="***"

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1345233/+subscriptions