[SRU] ceilometer writing snmp credentials to log file

Fix proposed to branch: master
Review: https://review.openstack.org/629891

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/630364

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/630366

The attachment "lp1811098-stein.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Note there is a public fix proposed for this issue.

While reports of suspected vulnerabilities for ceilometer aren't officially overseen by the OpenStack vulnerability management team, we're happy to provide guidance in such matters. I've subscribed the Ceilometer Core security reviewers to the report, to improve visibility among them while it's set as private.

Given the fixes for this were proposed in public, and the bug was also opened initially public and remained so for a week, there's probably not much point in maintaining an embargo for this report and so should just follow open/public vulnerability management process at this stage.

A quick look at the reported defect and associated patches, it seems fairly straightforward. This is in line with what the OpenStack VMT would consider a class A report in our taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy As such, I'd recommend publishing some sort of Ceilometer notice or advisory about the issue once backports for all supported stable branches have merged.

This has been sponsored and uploaded to disco, cosmic and bionic and is awaiting SRU team review in the cosmic and bionic unapproved queues.

This bug was fixed in the package ceilometer - 1:12.0.0~b1~git2018111615.da95ab99-0ubuntu2

---------------
ceilometer (1:12.0.0~b1~git2018111615.da95ab99-0ubuntu2) disco; urgency=medium

  * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098)
    - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch

 -- Edward Hope-Morley <email address hidden> Fri, 11 Jan 2019 11:54:23 +0000

Hello Edward, or anyone else affected,

Accepted ceilometer into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ceilometer/1:11.0.1-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Edward, or anyone else affected,

Accepted ceilometer into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ceilometer/1:10.0.1-0ubuntu0.18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Edward, or anyone else affected,

Accepted ceilometer into rocky-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:rocky-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-rocky-needed to verification-rocky-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-rocky-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

cosmic-proposed verified using [Test Case].

bionic-proposed verified using [Test Case].

rocky-proposed verified using [Test Case].

I agree with VMT's rating of class A. Will a CVE be requested for this?

A CVE can be requested by anyone for any defect. The OpenStack VMT doesn't generally request CVEs for projects it doesn't oversee, but we have a brief overview of what we'd generally recommend putting in MITRE's CVE Request form documented at https://security.openstack.org/vmt-process.html#send-cve-request if you're interested in following a similar process. Note that for an already-public report like this one, there are fewer bits to worry about (the process documentation attempts to call out the difference between what you'd do for still private embargoed reports vs already public reports).

The verification of the Stable Release Update for ceilometer has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ceilometer - 1:11.0.1-0ubuntu2

---------------
ceilometer (1:11.0.1-0ubuntu2) cosmic; urgency=medium

  * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098)
    - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch

 -- Edward Hope-Morley <email address hidden> Fri, 11 Jan 2019 18:14:54 +0000

Hello Edward, or anyone else affected,

Accepted ceilometer into queens-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:queens-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-queens-needed to verification-queens-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-queens-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

This flaw has been assigned as CVE-2019-3830 https://access.redhat.com/security/cve/cve-2019-3830

This bug was fixed in the package ceilometer - 1:10.0.1-0ubuntu0.18.04.2

---------------
ceilometer (1:10.0.1-0ubuntu0.18.04.2) bionic; urgency=medium

  * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098)
    - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch

 -- Edward Hope-Morley <email address hidden> Fri, 11 Jan 2019 18:16:31 +0000

The verification of the Stable Release Update for ceilometer has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ceilometer - 1:11.0.1-0ubuntu2~cloud0
---------------

 ceilometer (1:11.0.1-0ubuntu2~cloud0) bionic-rocky; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 ceilometer (1:11.0.1-0ubuntu2) cosmic; urgency=medium
 .
   * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098)
     - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch

queens-proposed verified using [Test Case].

The verification of the Stable Release Update for ceilometer has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ceilometer - 1:10.0.1-0ubuntu0.18.04.2~cloud0
---------------

 ceilometer (1:10.0.1-0ubuntu0.18.04.2~cloud0) xenial-queens; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 ceilometer (1:10.0.1-0ubuntu0.18.04.2) bionic; urgency=medium
 .
   * Backport fix to only log polling.yaml contents as DEBUG (LP: #1811098)
     - d/p/Only-print-polling.yaml-file-contents-as-DEBUG.patch

This issue was fixed in the openstack/ceilometer 12.0.0.0rc1 release candidate.

This issue was fixed in the openstack/ceilometer 11.1.0 release.

This issue was fixed in the openstack/ceilometer queens-eol release.