yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #41451
[Bug 1443598] Re: [OSSA 2015-008] backend_argument containing a password leaked in logs (CVE-2015-3646)
** Changed in: keystone/juno
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1443598
Title:
[OSSA 2015-008] backend_argument containing a password leaked in logs
(CVE-2015-3646)
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) icehouse series:
Fix Released
Status in OpenStack Identity (keystone) juno series:
Fix Released
Status in OpenStack Identity (keystone) kilo series:
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
The keystone.conf has an option backend_argument to set various
options for the caching backend. As documented, some of the potential
values can contain a password.
Snippet from
http://docs.openstack.org/developer/keystone/developing.html#dogpile-
cache-based-mongodb-nosql-backend
[cache]
# Global cache functionality toggle.
enabled = True
# Referring to specific cache backend
backend = keystone.cache.mongo
# Backend specific configuration arguments
backend_argument = db_hosts:localhost:27017
backend_argument = db_name:ks_cache
backend_argument = cache_collection:cache
backend_argument = username:test_user
backend_argument = password:test_password
As a result, passwords can be leaked to the keystone logs since the
config options is not marked secret.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1443598/+subscriptions
References