[Bug 1628031] Re: [OSSA-2017-001] CatchErrors leaks sensitive values in oslo.middleware (CVE-2017-2592)
Ubuntu Foundations Team Bug Bot
1628031 at bugs.launchpad.net
Wed Jun 28 12:27:00 UTC 2017
The attachment "0001-Filter-token-data-out-of-catch_errors-
middleware.patch" seems to be a patch. If it isn't, please remove the
"patch" flag from the attachment, remove the "patch" tag, and if you are
a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-oslo.middleware in Ubuntu.
https://bugs.launchpad.net/bugs/1628031
Title:
[OSSA-2017-001] CatchErrors leaks sensitive values in oslo.middleware
(CVE-2017-2592)
Status in keystonemiddleware:
Invalid
Status in oslo.middleware:
Fix Released
Status in oslo.utils:
Invalid
Status in OpenStack Security Advisory:
Fix Released
Status in python-oslo.middleware package in Ubuntu:
New
Bug description:
I had reported LP bug
https://bugs.launchpad.net/keystonemiddleware/+bug/1627696 yesterday
and I see that in cases where an error of this kind occurs the auth
token used to place the rest call to neutron us logged as part of the
stacktrace (which logs the headers including the token). I am not sure
if this needs to be handled at the oslo_middleware layer or
keystonemiddleware layer.
Stacktrace from neutron:
X-Auth-Token: gAAAAABX6NfMz4Lj4sYIDHu0eXr9oxymDrJTDOOrKztp0NElSiZcs9Umr-v8P-s8VP_lz_aVKPobfoj1ROP9X9amp8ACqwa4FNRvFX5IatzwmjAKR42AZZnuD4jxoJoC05iT-UKIY81gqHsOY8v7DbqTLSE2eOFwrFKZIMQBUDlDaeqwpce0LDp-dZrM2JIta9tOz99aOH5CShyu-ihMy3F87CN3cMdK5qHIr7oM1UiXc97zgzbDOTA
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors Traceback (most recent call last):
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/oslo_middleware/catch_errors.py", line 38, in __call__
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors response = req.get_response(self.application)
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1296, in send
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors application, catch_exc_info=False)
2016-09-26 05:29:36.804 28288 ERROR oslo_middleware.catch_errors File "/usr/lib/python2.7/site-packages/webob/request.py", line 1260, in
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1628031/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list