yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1524675] Re: lbaasv2-agent is logging credentials from barbican

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Thu, 10 Dec 2015 15:41:07 -0000
Reply-to: Bug 1524675 <1524675@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Note that this bug was public for 6 hours and E-mail copies of all the
information it contains were forwarded to anyone who subscribes to
Neutron on Launchpad (easily numbering in the hundreds of recipients).
As they say, you can't put the beans back in the can.

** Information type changed from Private Security to Public Security

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1524675

Title:
  lbaasv2-agent is logging credentials from barbican

Status in neutron:
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  In liberty, a neutron-lbaasv2-agent is logging credentials retrieved
  from barbican when debug=True. (e.g. cert, private key, passphrase)

  this makes security issue.

  example: http://paste.openstack.org/show/481439/ (part of
  /var/log/neutron/neutron-lbaasv2-agent.log)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1524675/+subscriptions

References

[Bug 1524675] [NEW] lbaasv2 is logging key that is on barbican
From: fujioka yuuichi, 2015-12-10