Your message dated Fri, 17 Oct 2014 16:34:07 +0000
with message-id <[email protected]>
and subject line Bug#765704: fixed in cinder 2014.1.3-4
has caused the Debian Bug report #765704,
regarding CVE-2014-7230 & CVE-2014-7231: Potential leak of passwords into log
files.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
765704: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765704
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cinder
Version: 2014.1.3-3
Severity: important
Tags: security
Amrith Kumar from Tesora reported two vulnerabilities in the
processutils.execute() and strutils.mask_password() functions available
from oslo-incubator that are copied into each project's code. An
attacker with read access to the services' logs may obtain passwords
used as a parameter of a command that has failed (CVE-2014-7230) or when
mask_password did not mask passwords properly (CVE-2014-7231). All
Cinder, Nova and Trove setups are affected.
Note from package maintainer:
The fix here:
https://review.openstack.org/121382 (Cinder)
is already applied on 2014.1.3, and the fix here:
https://review.openstack.org/126665 (Cinder ssh_execute)
will be uploaded in 2014.1.3-4 which I'm currently preparing.
Thomas Goirand (zigo)
--- End Message ---
--- Begin Message ---
Source: cinder
Source-Version: 2014.1.3-4
We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated cinder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 Oct 2014 20:44:08 +0800
Source: cinder
Binary: python-cinder cinder-common cinder-api cinder-volume cinder-scheduler
cinder-backup
Architecture: source all
Version: 2014.1.3-4
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Description:
cinder-api - OpenStack block storage system - API server
cinder-backup - OpenStack block storage system - Backup server
cinder-common - OpenStack block storage system - common files
cinder-scheduler - OpenStack block storage system - Scheduler server
cinder-volume - OpenStack block storage system - Volume server
python-cinder - OpenStack block storage system - Python libraries
Closes: 765704
Changes:
cinder (2014.1.3-4) unstable; urgency=high
.
* CVE-2014-7230 & CVE-2014-7231: Potential leak of passwords into log files.
Applied upstream patch (Closes: #765704).
Checksums-Sha1:
6ba6460e187506ac497d3cd6b7096aaf0039c7e2 3447 cinder_2014.1.3-4.dsc
6b8ac68c3e9ccc5bfce7effb642e716949679b2f 385288 cinder_2014.1.3-4.debian.tar.xz
a3fe01b57cd8fafcc95a5bf35ca60cf99bc6beab 1265368
python-cinder_2014.1.3-4_all.deb
4a28743ad5710e35b0e3bb93a312b8e7dacbf22b 508356
cinder-common_2014.1.3-4_all.deb
aff1c839595122fb86c9a18b531d56a2dfa24a65 484852 cinder-api_2014.1.3-4_all.deb
71326d5ac11ea4129fe11f757747f31d321d3bf1 480610
cinder-volume_2014.1.3-4_all.deb
1f1dccd936785a71e5162c35e3a7fab1140cf400 468942
cinder-scheduler_2014.1.3-4_all.deb
f45a501a2460ceb5dc2d6aeebb8dd8771f000894 468624
cinder-backup_2014.1.3-4_all.deb
Checksums-Sha256:
b9bdc983892943da289ae1f8bb97417bbfc2af198f205a1384b52d76befbb0d6 3447
cinder_2014.1.3-4.dsc
3afc3675b7a7395dbdf6e5fa1299eb83ec0c4759c2057edaafa515ce7a1d255c 385288
cinder_2014.1.3-4.debian.tar.xz
8786058de7a546ddd65dde32d7cfdae3fd1e941a1ad01b96dad78950317782b2 1265368
python-cinder_2014.1.3-4_all.deb
53838e196f777de2cbc0a00fc3d9292f710032218716e9bdd69057950377a4e4 508356
cinder-common_2014.1.3-4_all.deb
7d706901ab8e987bc7334320e4b7fef7055fe5c2cea5720303cef785ac159690 484852
cinder-api_2014.1.3-4_all.deb
ad1110b1c74e30fd469f66f8b4009075788736d14d5d83c08dc637deff256658 480610
cinder-volume_2014.1.3-4_all.deb
f30708dc01cd55f28116987da6be5b114ad68e654ce37a3de57a780e2256d7b1 468942
cinder-scheduler_2014.1.3-4_all.deb
8d0f40dcceff21001e481b943b2dbc88222a4004a22033192a49207eeeb2adf0 468624
cinder-backup_2014.1.3-4_all.deb
Files:
eb6043aa7665b7d391b5d147d592dba0 3447 net extra cinder_2014.1.3-4.dsc
1c491e02e22e52630d57287d3eb15afa 385288 net extra
cinder_2014.1.3-4.debian.tar.xz
d1e5272fc348e8a9d84c9d46d3d350df 1265368 python extra
python-cinder_2014.1.3-4_all.deb
7c2fe856e3df6b93e16b5371d11e6c9e 508356 net extra
cinder-common_2014.1.3-4_all.deb
4dcb5ccc719343f9b62fffb68c3bca83 484852 net extra cinder-api_2014.1.3-4_all.deb
8ca15d74cc6f3309d65b8042ffbeac43 480610 net extra
cinder-volume_2014.1.3-4_all.deb
9e188a0943313106f59ddaed3a6d9828 468942 net extra
cinder-scheduler_2014.1.3-4_all.deb
f8e095867a4446dc7cf6c707fe9c9a72 468624 net extra
cinder-backup_2014.1.3-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUQUDkAAoJENQWrRWsa0P+kagQAJWeWn/XIt0Xmu7Y8cLYfp3f
BUZLJTw5Xzxo3IPQtRseSMTF/cQ0k84y9l7lu/P4hgMKAOp/iBR6bwuXi6GXixaf
pa78AfVdED/cGUeAwoz0k/jnykS3xhQXBb2OeolqGYVIQDbwuMj/UxQf+jG1abEo
A57UXKR0Ro/yUIyjd57tlcf8ZVMf1xG6119/8giEFMp0SmqjtymLfCy6HwMC7eOO
w4nWdkFn7Xr1nZHK8z0Af8QibPLB3NsmMxVi2hIFMW1dGp+nDCDKIfDLf4+jJXs7
nnzoszpZpMXfXZ6ayS4q9hBIpe08i996u0pi+LyBMQsm65T7+hgJdZPZQHSKaXw+
VPqPOMkHes0fVa1ENozgbrxJ3wQ3ipJm9SFy1J6lfS+v2C/KOQqeLfNXVhxkR1MY
A/YcItQHRSxFJMw5CuKsausLEK0wQWcFCBvzE08AG/3HluEGNl+GLPqXwhhhSuNz
aS8S49gVj1Ti1hj4ke2VAMUWHOrK3LKLfjIrOu0zy8G01nz3M3ljQ2NPFRoUcXGs
yUPxecH9hSJEI0COImzg/W3LTWinUKkVeYl7A7ynF4GTHMfdFRMXEOlIMtVJE3Sx
oErsBoVyNOqeLjP0XoJGhMeExUIq/E86lmsCrE3OB4nOHvJ5rl9ZK7hGLKyzfN8f
y6eMVBGC3nxZ7sUoDVE8
=9fVX
-----END PGP SIGNATURE-----
--- End Message ---
