Hi,
If your project is using secrets in Zuul v3, please see the attached
message to determine whether they may have been disclosed.
OpenStack's Zuul is now running with the referenced fix in place, and we
have verified that the secrets used in the project-config repo (eg, to
upload logs and artifacts) were not subject to disclosure.
-Jim
--- Begin Message ---
Dear zuul operators
Simon Westphahl discovered a flaw within json logging of zuul where no_log is
ignored for ansible loops. Tasks within a loop may be able to print decrypted
secrets in job-output.json, despite setting no_log.
This is fixed in https://review.openstack.org/552799 by Simon.
All operators are encouraged to take following actions:
* Update your zuul
* Check if any jobs dealing with secrets also deal with them in loops using
no_log. If not, you're safe
* If yes, check job-output.json if secrets are contained
* If yes, change your secret
Sorry for any inconveniences
Tobias
--
BMW Car IT GmbH
Tobias Henkel
Spezialist Entwicklung
Moosacher Straße 86
80809 München
Tel.: +49 89 189311-48
Fax: +49 89 189311-20
Mail: tobias.hen...@bmw.de<mailto:tobias.hen...@bmw.de>
Web: http://www.bmw-carit.de<http://www.bmw-carit.de/>
-----------------------------------------------------------------------------
BMW Car IT GmbH
Geschäftsführer: Kai-Uwe Balszuweit
und Christian Salzmann
Sitz und Registergericht: München HRB 134810
-----------------------------------------------------------------------------
_______________________________________________
Zuul-announce mailing list
zuul-annou...@lists.zuul-ci.org
http://lists.zuul-ci.org/cgi-bin/mailman/listinfo/zuul-announce
--- End Message ---
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
