Comment 19 for bug 1275062

I concede to not being familiar enough with Swift's various deployment models, but do worry about getting overly specific about identifying affected configurations. The goal is to provide enough detail that the lowest-common-denominator operator/sysadmin can determine whether they should upgrade/apply the patch, without getting into the weeds and without being so verbose that they stop reading (which usually happens after the first few sentences). How about...

----

Title: Glance Swift store backend password leak
Reporter: Nikhil Komawar (Rackspace)
Products: Glance
Versions: 2013.2 versions up to 2013.2.1

Description:
Nikhil Komawar from Rackspace reported an information leak in Glance logs. The password for the Swift store backend is logged at WARNING level as part of the URL when authentication to a store fails if image location is not disabled by policy or the store is a single-tenant configuration. An attacker with access to the logs (local shell, log aggregation system access, or accidental leak) may leverage this vulnerability to elevate privileges and gain direct full access to the Glance Swift store backend. Only Glance setups using the Swift store backend are affected.