yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1345233] Re: Make the checks in strutils.mask_password more secure (CVE-2014-7231)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1345233@xxxxxxxxxxxxxxxxxx>
Date: Fri, 19 Jun 2015 12:51:16 -0000
Reply-to: Bug 1345233 <1345233@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova/icehouse
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1345233

Title:
  Make the checks in strutils.mask_password more secure (CVE-2014-7231)

Status in OpenStack Compute (Nova):
  Invalid
Status in OpenStack Compute (nova) havana series:
  Fix Released
Status in OpenStack Compute (nova) icehouse series:
  Fix Released
Status in Oslo utility library:
  Fix Released

Bug description:
  Relates to findings while fixing
  https://bugs.launchpad.net/ossa/+bug/1343604

  mask_password() needs to be more robust and catch many more common
  formats of strings that could include passwords.

  An example is that it does not catch something like '--password=top-
  secret' but does catch '--password="top-secret"'. See below; the
  logged messages are being generated by using mask_password().

  /usr/sbin/mysqld --password=top-secret

  2014-07-19 18:35:01.415 20588 ERROR openstack.common.processutils [-]
  Running cmd (subprocess): /usr/sbin/mysqld --password=secret

  They did catch

  /usr/sbin/mysqld --password="top-secret"

  2014-07-19 18:35:48.686 20605 ERROR openstack.common.processutils [-]
  Running cmd (subprocess): /usr/sbin/mysqld --password="***"

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1345233/+subscriptions