Package: cinder Version: 2014.1.3-3 Severity: important Tags: security Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that has failed (CVE-2014-7230) or when mask_password did not mask passwords properly (CVE-2014-7231). All Cinder, Nova and Trove setups are affected.
Note from package maintainer: The fix here: https://review.openstack.org/121382 (Cinder) is already applied on 2014.1.3, and the fix here: https://review.openstack.org/126665 (Cinder ssh_execute) will be uploaded in 2014.1.3-4 which I'm currently preparing. Thomas Goirand (zigo) _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
