Comment 10 for bug 1673569
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: Failed notification payload is dumped in logs with auth secrets | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
It looks like the backports are starting to get approved and merge now as well. Once they're all merged, I propose switching this bug to Public Security and following our lighter-weight our public report disclosure process from that point instead of continuing to maintain an embargo (the risk posed by this bug seems pretty minimal).
Proposed impact description:
Title: Nova logs sensitive context from notification exceptions
Reporter: Matt Riedemann (Huawei)
Products: Nova
Affects: >=13.0.0 <=13.1.3, >=14.0.0 <=14.0.4, >=15.0.0 <=15.0.1
Description:
Matt Riedemann with Huawei reported a vulnerability in Nova. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens. All Nova setups are affected.