Reviewed: https://review.openstack.org/207226 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2afad4dc30cd1e210f2353ce987fe1bbdd8b93d7 Submitter: Jenkins Branch: master
commit 2afad4dc30cd1e210f2353ce987fe1bbdd8b93d7 Author: Brant Knudson <[email protected]> Date: Wed Jul 29 16:29:42 2015 -0500 Config option for insecure responses oslo.log's "debug" option was co-opted to also indicate that the responses should include more information. A separate config option should be used instead so that deployers don't mistakenly expose themselves to security issues. The debug option still is used for what it does in oslo.log and how it works on all other projects -- if you're not using a log config file it sets the base logger to debug. SecurityImpact Change-Id: Icf8dd2f0b88abc89092d487bbcefb525960c4ec6 Closes-Bug: 1479523 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1479523 Title: Stop using debug for insecure responses Status in OpenStack Identity (keystone): Fix Released Bug description: If you set debug=true in keystone.conf the server 1) logs at debug level, and 2) sends out insecure responses. Deployers might think that debug=true only does 1, not knowing about 2 since it's not documented in the sample config. The behaviors should be decoupled to improve security a bit. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1479523/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
