[Yahoo-eng-team] [Bug 1377981] Re: Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)
Reviewed: https://review.openstack.org/126594 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=ee3594072a7ef1c3f5661021fb31118069cbd646 Submitter: Jenkins Branch:proposed/juno commit ee3594072a7ef1c3f5661021fb31118069cbd646 Author: Tristan Cacqueray Date: Fri Oct 3 19:53:42 2014 + Mask passwords in exceptions and error messages When a ProcessExecutionError is thrown by processutils.ssh_execute(), the exception may contain information such as password. Upstream applications that just log the message (as several appear to do) could inadvertently expose these passwords to a user with read access to the log files. It is therefore considered prudent to invoke strutils.mask_password() on the command, stdout and stderr in the exception. A test case has been added (to oslo-incubator) in order to ensure that all three are properly masked. An earlier commit (853d8f9897f8563851441108a9be26b10908c076) failed to address ssh_execute(). This change set addresses ssh_execute. OSSA is aware of this change request. Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958 Closes-Bug: #1377981 ** Changed in: nova Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1377981 Title: Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231) Status in Cinder: Fix Released Status in Cinder icehouse series: In Progress Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) icehouse series: New Status in The Oslo library incubator: Fix Released Status in oslo-incubator icehouse series: New Status in OpenStack Security Advisories: In Progress Bug description: Former bugs: https://bugs.launchpad.net/ossa/+bug/1343604 https://bugs.launchpad.net/ossa/+bug/1345233 The ssh_execute method is still affected in Cinder and Nova Icehouse release. It is prone to password leak if: - passwords are used on the command line - execution fail - calling code catch and log the exception The missing fix from oslo-incubator to be merged is: 6a60f84258c2be3391541dbe02e30b8e836f6c22 To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1377981/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1377981] Re: Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)
Reviewed: https://review.openstack.org/126592 Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=d5efe6703297761215907eeaf703cec040e6ad25 Submitter: Jenkins Branch:proposed/juno commit d5efe6703297761215907eeaf703cec040e6ad25 Author: Tristan Cacqueray Date: Fri Oct 3 19:57:01 2014 + Sync latest processutils from oslo-incubator An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed to address ssh_execute(). This change set addresses ssh_execute. oslo-incubator head: commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4 Merge: 9f5c700 2a130bf Author: Jenkins Date: Mon Sep 29 23:12:14 2014 + Merge "Script to list unreleased changes in all oslo projects" --- The sync pulls in the following changes (newest to oldest): 6a60f842 - Mask passwords in exceptions and error messages (SSH) --- Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958 Closes-Bug: #1377981 (cherry picked from commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567) ** Changed in: cinder Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1377981 Title: Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231) Status in Cinder: Fix Released Status in Cinder icehouse series: In Progress Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Compute (nova) icehouse series: New Status in The Oslo library incubator: Fix Released Status in oslo-incubator icehouse series: New Status in OpenStack Security Advisories: In Progress Bug description: Former bugs: https://bugs.launchpad.net/ossa/+bug/1343604 https://bugs.launchpad.net/ossa/+bug/1345233 The ssh_execute method is still affected in Cinder and Nova Icehouse release. It is prone to password leak if: - passwords are used on the command line - execution fail - calling code catch and log the exception The missing fix from oslo-incubator to be merged is: 6a60f84258c2be3391541dbe02e30b8e836f6c22 To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1377981/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
