Package: nova Version: 2014.1.3-4 Severity: important Tags: security Description: Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that has failed (CVE-2014-7230) or when mask_password did not mask passwords properly (CVE-2014-7231). All Cinder, Nova and Trove setups are affected.
This patch: https://review.openstack.org/121096 (Nova) seems to be already applied. This one: https://review.openstack.org/126699 (Nova ssh_execute) will be included in the next upload: nova 2014.1.3-5. _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
