Package: nova Version: 2014.1.3-4 Severity: important Tags: security Description: Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that has failed (CVE-2014-7230) or when mask_password did not mask passwords properly (CVE-2014-7231). All Cinder, Nova and Trove setups are affected.
This patch: https://review.openstack.org/121096 (Nova) seems to be already applied. This one: https://review.openstack.org/126699 (Nova ssh_execute) will be included in the next upload: nova 2014.1.3-5. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org