There is a bit of confusion around this bug. There are two issues:
1/ LDAP password is specified in a world-readable file
This is not a Keystone issue. This is a packaging/deployment issue: that file should not be deployed world-readable. At most that would be a devstack issue (although I don't think anyone ever relied on devstack to deploy openstack in any kind of secure fashion) -- and the CVE should be updated to reflect that.
2/ LDAP password config option is not marked "secret" so it MAY show in logs
That's what the proposed fix actually fixes. I'm not sure the LDAp password is actually logged anywhere, but marking it secret actually makes sure it would not show if that was the case. This should be filed as a separate bug.
There is a bit of confusion around this bug. There are two issues:
1/ LDAP password is specified in a world-readable file deployment issue: that file should not be deployed world-readable. At most that would be a devstack issue (although I don't think anyone ever relied on devstack to deploy openstack in any kind of secure fashion) -- and the CVE should be updated to reflect that.
This is not a Keystone issue. This is a packaging/
2/ LDAP password config option is not marked "secret" so it MAY show in logs
That's what the proposed fix actually fixes. I'm not sure the LDAp password is actually logged anywhere, but marking it secret actually makes sure it would not show if that was the case. This should be filed as a separate bug.