yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1575909] Re: VPN shared PSK shown in plaintext

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rob Cresswell <robert.cresswell@xxxxxxxxxxx>
Date: Thu, 02 Mar 2017 17:47:18 -0000
Reply-to: Bug 1575909 <1575909@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: horizon
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1575909

Title:
  VPN shared PSK shown in plaintext

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  In the neutron VPN details and form,
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/templates/vpn/_ipsecsiteconnection_details.html#L43
  and
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/forms.py#L249
  don't offer the option of hiding the string. Typically sensitive
  information like passwords is hidden by default, requiring the user to
  explicitly choose to make it visible by clicking an icon (like the eye
  icon).

  Filing this as a security bug out of an overabundance of caution;
  while it is related to security it doesn't describe a vulnerability
  that can be exploited by means other than shoulder surfing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1575909/+subscriptions