Comment 8 for bug 1343604

Hum, the mask_password is more broad than stated, here what I used to track affected version:
find */* -iname "*.py" | xargs grep -r 'mask_password(' | grep -v ':def' | grep -v '>>>'

Here is the summary

mask_password: [stable/havana]: keystone
execute: [stable/havana]: cinder, glance, heat, keystone, neutron and nova

mask_password: [stable/icehouse]: keystone, nova and trove
execute: [stable/icehouse]: cinder, glance, heat, keystone, neutron, nova and trove

mask_password: [master]: cinder, glance, heat, keystone, nova and trove
execute: [master]: cinder, glance, heat, neutron, nova and trove are impacted

I simplified the affected versions, it may now include unaffected version but it so much easier to read...
Here is the combined impact description draft #2:

Title: Potential password leak when shell command fail or because of incorrect masking
Reporter: Amrith Kumar (Tesora)
Products: Cinder, Glance, Heat, Keystone, Neutron, Nova, Trove
Versions: up to 2013.2.3, 2014.1 versions up to 2014.1.1

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that fail or when the mask_password does not work properly. All services are impacted.