For Bandit I'm marking "Won't fix":
Offending code is:
LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
'action': action,
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
There's no indication of what the kwargs are, so without a runtime
integration (ta
** Changed in: keystone/juno
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1465922
Title:
Password visible in clear te
We would typically issue an OSSN for such behaviour, it's somewhat
boilerplate but it's important to document the issue, particularly as a
number of production workloads run in debug mode.
I also think it's interesting that Bandit didn't catch this, it's pretty
good at finding these sorts of issue
** Changed in: keystone/kilo
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1465922
Title:
Password visible in clear text in keystone.log wh
** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => liberty-2
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1465922
Title
** Also affects: keystone/kilo
Importance: Undecided
Status: New
** Also affects: keystone/juno
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad
Was able to recreate locally on master.
** Changed in: keystone
Status: Won't Fix => Confirmed
** Changed in: keystone
Importance: Undecided => Medium
** Changed in: keystone
Assignee: (unassigned) => Brant Knudson (blk-u)
--
You received this bug notification because you are a
I believe the same it true in Keystone based on what Jeremy has linked
above.
** Changed in: keystone
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/146592
The OpenStack VMT currently considers (based on existing precedent)
disclosure of sensitive information in debug-level logging a security
hardening opportunity, and does not issue security advisories for it.
This is class D in our report taxonomy: https://security.openstack.org
/vmt-process.html#in
9 matches
Mail list logo