| 2016-09-27 10:27:43 |
Divya K Konoor |
bug |
|
|
added bug |
| 2016-09-27 10:28:12 |
Divya K Konoor |
affects |
keystone |
keystonemiddleware |
|
| 2016-09-27 10:28:32 |
Divya K Konoor |
bug |
|
|
added subscriber Matthew Edmonds |
| 2016-09-27 10:37:56 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
| 2016-09-27 10:38:11 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2016-09-27 10:38:22 |
Tristan Cacqueray |
description |
I had reported LP bug https://bugs.launchpad.net/keystonemiddleware/+bug/1627696 yesterday and I see that in cases where an error of this kind occurs the auth token used to place the rest call to neutron us logged as part of the stacktrace (which logs the headers including the token). I am not sure if this needs to be handled at the oslo_middleware layer or keystonemiddleware layer.
Stacktrace from neutron:
X-Auth-Token: gAAAAABX6NfMz4Lj4sYIDHu0eXr9oxymDrJTDOOrKztp0NElSiZcs9Umr-v8P-s8VP_lz_aVKPobfoj1ROP9X9amp8ACqwa4FNRvFX5IatzwmjAKR42AZZnuD4jxoJoC05iT-UKIY81gqHsOY8v7DbqTLSE2eOFwrFKZIMQBUDlDaeqwpce0LDp-dZrM2JIta9tOz99aOH5CShyu-ihMy3F87CN3cMdK5qHIr7oM1UiXc97zgzbDOTA
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors Traceback (most recent call last):
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/oslo_middleware/catch_errors.py", line 38, in __call__
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors response = req.get_response(self.application)
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1296, in send
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors application, catch_exc_info=False)
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1260, in |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
I had reported LP bug https://bugs.launchpad.net/keystonemiddleware/+bug/1627696 yesterday and I see that in cases where an error of this kind occurs the auth token used to place the rest call to neutron us logged as part of the stacktrace (which logs the headers including the token). I am not sure if this needs to be handled at the oslo_middleware layer or keystonemiddleware layer.
Stacktrace from neutron:
X-Auth-Token: gAAAAABX6NfMz4Lj4sYIDHu0eXr9oxymDrJTDOOrKztp0NElSiZcs9Umr-v8P-s8VP_lz_aVKPobfoj1ROP9X9amp8ACqwa4FNRvFX5IatzwmjAKR42AZZnuD4jxoJoC05iT-UKIY81gqHsOY8v7DbqTLSE2eOFwrFKZIMQBUDlDaeqwpce0LDp-dZrM2JIta9tOz99aOH5CShyu-ihMy3F87CN3cMdK5qHIr7oM1UiXc97zgzbDOTA
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors Traceback (most recent call last):
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/oslo_middleware/catch_errors.py", line 38, in __call__
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors response = req.get_response(self.application)
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1296, in send
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors application, catch_exc_info=False)
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1260, in |
|
| 2016-09-27 10:38:31 |
Tristan Cacqueray |
bug |
|
|
added subscriber Keystone Core security contacts |
| 2016-09-28 01:44:38 |
Steve Martinelli |
bug |
|
|
added subscriber Jamie Lennox |
| 2016-09-28 03:17:18 |
Steve Martinelli |
bug |
|
|
added subscriber Steve Martinelli |
| 2016-09-28 05:12:50 |
Jamie Lennox |
attachment added |
|
0001-Filter-token-data-out-of-catch_errors-middleware.patch https://bugs.launchpad.net/keystonemiddleware/+bug/1628031/+attachment/4749961/+files/0001-Filter-token-data-out-of-catch_errors-middleware.patch |
|
| 2016-09-28 05:13:41 |
Jamie Lennox |
bug task added |
|
oslo.middleware |
|
| 2016-09-28 13:14:05 |
Steve Martinelli |
keystonemiddleware: status |
New |
Invalid |
|
| 2016-10-11 13:28:44 |
Matthew Edmonds |
bug task added |
|
oslo.utils |
|
| 2016-10-18 22:33:38 |
Matthew Edmonds |
attachment added |
|
0001-mask-secrets-in-CatchErrors-middleware.patch https://bugs.launchpad.net/ossa/+bug/1628031/+attachment/4763456/+files/0001-mask-secrets-in-CatchErrors-middleware.patch |
|
| 2016-10-19 03:11:51 |
Steve Martinelli |
bug |
|
|
added subscriber Amrith |
| 2016-11-03 14:41:29 |
Steve Martinelli |
oslo.utils: status |
New |
Invalid |
|
| 2016-11-03 14:45:43 |
Jeremy Stanley |
ossa: status |
Incomplete |
Confirmed |
|
| 2017-01-11 17:18:20 |
Jeremy Stanley |
bug |
|
|
added subscriber Oslo Core security contacts |
| 2017-01-18 21:29:35 |
Morgan Fainberg |
bug |
|
|
added subscriber OpenStack release team |
| 2017-01-18 21:54:57 |
Jeremy Stanley |
ossa: status |
Confirmed |
In Progress |
|
| 2017-01-19 13:52:59 |
Jeremy Stanley |
cve linked |
|
2017-2592 |
|
| 2017-01-19 13:53:23 |
Jeremy Stanley |
summary |
keystonemiddleware logs token in stacktrace |
keystonemiddleware logs token in stacktrace (CVE-2017-2592) |
|
| 2017-01-23 15:59:03 |
Jeremy Stanley |
ossa: importance |
Undecided |
High |
|
| 2017-01-23 15:59:08 |
Jeremy Stanley |
ossa: assignee |
|
Jeremy Stanley (fungi) |
|
| 2017-01-23 16:19:13 |
Jeremy Stanley |
attachment added |
|
Master (ocata) branch rebase of patch from comment #2 https://bugs.launchpad.net/keystonemiddleware/+bug/1628031/+attachment/4808149/+files/cve-2017-2592-master-ocata.patch |
|
| 2017-01-23 17:47:10 |
Jeremy Stanley |
ossa: status |
In Progress |
Fix Committed |
|
| 2017-01-23 17:54:49 |
Jeremy Stanley |
bug |
|
|
added subscriber Bryan Stephenson |
| 2017-01-26 14:43:55 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
| 2017-01-26 14:44:16 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
I had reported LP bug https://bugs.launchpad.net/keystonemiddleware/+bug/1627696 yesterday and I see that in cases where an error of this kind occurs the auth token used to place the rest call to neutron us logged as part of the stacktrace (which logs the headers including the token). I am not sure if this needs to be handled at the oslo_middleware layer or keystonemiddleware layer.
Stacktrace from neutron:
X-Auth-Token: gAAAAABX6NfMz4Lj4sYIDHu0eXr9oxymDrJTDOOrKztp0NElSiZcs9Umr-v8P-s8VP_lz_aVKPobfoj1ROP9X9amp8ACqwa4FNRvFX5IatzwmjAKR42AZZnuD4jxoJoC05iT-UKIY81gqHsOY8v7DbqTLSE2eOFwrFKZIMQBUDlDaeqwpce0LDp-dZrM2JIta9tOz99aOH5CShyu-ihMy3F87CN3cMdK5qHIr7oM1UiXc97zgzbDOTA
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors Traceback (most recent call last):
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/oslo_middleware/catch_errors.py", line 38, in __call__
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors response = req.get_response(self.application)
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1296, in send
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors application, catch_exc_info=False)
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1260, in |
I had reported LP bug https://bugs.launchpad.net/keystonemiddleware/+bug/1627696 yesterday and I see that in cases where an error of this kind occurs the auth token used to place the rest call to neutron us logged as part of the stacktrace (which logs the headers including the token). I am not sure if this needs to be handled at the oslo_middleware layer or keystonemiddleware layer.
Stacktrace from neutron:
X-Auth-Token: gAAAAABX6NfMz4Lj4sYIDHu0eXr9oxymDrJTDOOrKztp0NElSiZcs9Umr-v8P-s8VP_lz_aVKPobfoj1ROP9X9amp8ACqwa4FNRvFX5IatzwmjAKR42AZZnuD4jxoJoC05iT-UKIY81gqHsOY8v7DbqTLSE2eOFwrFKZIMQBUDlDaeqwpce0LDp-dZrM2JIta9tOz99aOH5CShyu-ihMy3F87CN3cMdK5qHIr7oM1UiXc97zgzbDOTA
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors Traceback (most recent call last):
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/oslo_middleware/catch_errors.py", line 38, in __call__
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors response = req.get_response(self.application)
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1296, in send
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors application, catch_exc_info=False)
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1260, in |
|
| 2017-01-26 15:13:41 |
Jeremy Stanley |
information type |
Public |
Public Security |
|
| 2017-01-26 15:24:15 |
Jeremy Stanley |
summary |
keystonemiddleware logs token in stacktrace (CVE-2017-2592) |
[OSSA-2017-001] keystonemiddleware logs token in stacktrace (CVE-2017-2592) |
|
| 2017-01-26 18:59:38 |
Jeremy Stanley |
summary |
[OSSA-2017-001] keystonemiddleware logs token in stacktrace (CVE-2017-2592) |
[OSSA-2017-001] CatchErrors leaks sensitive values in oslo.middleware (CVE-2017-2592) |
|
| 2017-01-26 19:42:24 |
OpenStack Infra |
ossa: status |
Fix Committed |
Fix Released |
|
| 2017-01-26 22:26:42 |
OpenStack Infra |
tags |
|
in-stable-newton |
|
| 2017-01-26 22:26:50 |
OpenStack Infra |
tags |
in-stable-newton |
in-stable-mitaka in-stable-newton |
|
| 2017-04-05 15:37:11 |
ChangBo Guo(gcb) |
oslo.middleware: status |
New |
Fix Released |
|
| 2017-06-28 10:15:03 |
Ante Karamatić |
bug task added |
|
python-oslo.middleware (Ubuntu) |
|
| 2017-06-28 10:17:13 |
Ante Karamatić |
bug |
|
|
added subscriber Ubuntu Security Team |
| 2017-06-28 12:26:52 |
Ubuntu Foundations Team Bug Bot |
tags |
in-stable-mitaka in-stable-newton |
in-stable-mitaka in-stable-newton patch |
|
| 2017-06-28 12:26:58 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2017-10-23 13:08:46 |
James Page |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-10-23 13:08:46 |
James Page |
bug task added |
|
python-oslo.middleware (Ubuntu Xenial) |
|
| 2017-10-23 13:08:56 |
James Page |
python-oslo.middleware (Ubuntu): status |
New |
Fix Released |
|
| 2017-10-23 13:09:01 |
James Page |
python-oslo.middleware (Ubuntu Xenial): status |
New |
Triaged |
|
| 2017-10-23 13:09:05 |
James Page |
python-oslo.middleware (Ubuntu Xenial): importance |
Undecided |
High |
|
| 2017-10-23 13:10:51 |
James Page |
python-oslo.middleware (Ubuntu Xenial): importance |
High |
Low |
|
| 2018-05-09 07:36:52 |
Tobias Urdin |
bug |
|
|
added subscriber Tobias Urdin |
| 2018-05-10 14:48:26 |
Corey Bryant |
attachment added |
|
ubuntu-xenial-1628031.patch https://bugs.launchpad.net/keystonemiddleware/+bug/1628031/+attachment/5137255/+files/ubuntu-xenial-1628031.patch |
|
| 2018-05-10 14:49:10 |
Corey Bryant |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2018-05-24 16:14:31 |
Corey Bryant |
bug |
|
|
added subscriber Corey Bryant |
| 2018-05-31 00:43:46 |
Launchpad Janitor |
python-oslo.middleware (Ubuntu Xenial): status |
Triaged |
Fix Released |
|
