[OSSA-2017-001] CatchErrors leaks sensitive values in oslo.middleware (CVE-2017-2592)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley | ||
keystonemiddleware |
Invalid
|
Undecided
|
Unassigned | ||
oslo.middleware |
Fix Released
|
Undecided
|
Unassigned | ||
oslo.utils |
Invalid
|
Undecided
|
Unassigned | ||
python-oslo.middleware (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Low
|
Unassigned |
Bug Description
I had reported LP bug https:/
Stacktrace from neutron:
X-Auth-Token: gAAAAABX6NfMz4L
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware
CVE References
affects: | keystone → keystonemiddleware |
Changed in ossa: | |
status: | Incomplete → Confirmed |
Changed in ossa: | |
status: | Confirmed → In Progress |
summary: |
- keystonemiddleware logs token in stacktrace + keystonemiddleware logs token in stacktrace (CVE-2017-2592) |
Changed in ossa: | |
importance: | Undecided → High |
assignee: | nobody → Jeremy Stanley (fungi) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public |
description: | updated |
information type: | Public → Public Security |
summary: |
- keystonemiddleware logs token in stacktrace (CVE-2017-2592) + [OSSA-2017-001] keystonemiddleware logs token in stacktrace + (CVE-2017-2592) |
Changed in oslo.middleware: | |
status: | New → Fix Released |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.