admin_token and LDAP password show up in log in DEBUG mode

Bug #1172195 reported by Thierry Carrez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Xu Han Peng
Grizzly
Fix Released
Low
Adam Gandelman

Bug Description

This is a by-product of bug 1168252.

Keystone auth_token and LDAP password are not market "secret" so they appear in DEBUG level logs:

(keystone-all): 2013-04-23 23:17:09,101 DEBUG cfg log_opt_values admin_token = 111222333444
(keystone-all): 2013-04-23 23:17:09,108 DEBUG cfg log_opt_values ldap.password = None

Tags: security

CVE References

Revision history for this message
Thierry Carrez (ttx) wrote :

Kurt assigned CVE-2013-2006 for the OpenStack keystone LDAP password disclosure in log files

http://openwall.com/lists/oss-security/2013/04/24/1

tags: added: security
Revision history for this message
Thierry Carrez (ttx) wrote :
Changed in keystone:
assignee: nobody → Xu Han Peng (xuhanp)
status: New → In Progress
Alan Pevec (apevec)
tags: added: grizzly-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/26826
Committed: http://github.com/openstack/keystone/commit/d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8
Submitter: Jenkins
Branch: master

commit d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8
Author: Xuhan Peng <email address hidden>
Date: Fri Apr 12 16:19:37 2013 +0800

    Mark LDAP password and admin_token secret

    Add secret=True to LDAP password and admin_token
    of keystone configuration.

    Fix bug #1172195

    Change-Id: I8ef7f705e3f6b374ff427c20eb761892d5146a75

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/27980

Alan Pevec (apevec)
Changed in keystone:
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/grizzly)

Reviewed: https://review.openstack.org/27980
Committed: http://github.com/openstack/keystone/commit/c5037dd6b82909efaaa8720e8cfa8bdb8b4a0edd
Submitter: Jenkins
Branch: stable/grizzly

commit c5037dd6b82909efaaa8720e8cfa8bdb8b4a0edd
Author: Xuhan Peng <email address hidden>
Date: Fri Apr 12 16:19:37 2013 +0800

    Mark LDAP password and admin_token secret

    Add secret=True to LDAP password and admin_token
    of keystone configuration.

    Fix bug #1172195

    Change-Id: I8ef7f705e3f6b374ff427c20eb761892d5146a75
    (cherry picked from commit d43e2a51a1ed7adbed3c5ddf001d46bc4a824ae8)

tags: removed: grizzly-backport-potential
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → havana-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.