[Bug 1999665] Please test proposed package
Steve Langasek
1999665 at bugs.launchpad.net
Fri Mar 17 16:17:16 UTC 2023
Hello Alejandro, or anyone else affected,
Accepted heat into jammy-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/heat/1:18.0.0-0ubuntu1.1 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to heat in Ubuntu.
https://bugs.launchpad.net/bugs/1999665
Title:
Heat stack 'hidden' and heat.conf 'encrypt_parameters_and_properties'
settings are not honored
Status in heat package in Ubuntu:
Fix Released
Status in heat source package in Jammy:
Fix Committed
Status in heat source package in Kinetic:
Fix Committed
Status in heat source package in Lunar:
Fix Released
Bug description:
[Impact]
This is a potential security vulnerability. The upstream story has
been marked as 'Vulnerability or Security-related' and is awaiting
security triage: https://storyboard.openstack.org/#!/story/2010484
[Test Case]
After a stack is created using:
openstack stack create --parameter password=test123 -t
simple_instance.yaml -e params.yaml my_simple_stack
where 'simple_instance.yaml' defines a simple VM with a 'hidden'
parameter as below:
password:
type: string
hidden: true
description: The password
'hidden' is honored when you run:
openstack stack show my_simple_stack | grep password
| | password: '******'
but that's not the case for the below command as the API returns the
'hidden' parameter in plain text:
openstack stack environment show my_simple_stack3 | grep password
password: test123
This behavior is observed in Focal/Ussuri and Jammy/Yoga and happens
regardless of the user role used. Namely two users with either reader
or member (admin role as well but this may be by design) face the same
issue. For example, if user1 created the stack, both user1 and user2
(a user with either reader or admin role assigned) face the same issue
described above.
Also it doesn't matter if heat.conf contains
'encrypt_parameters_and_properties = true', the issue is observed
regardles of the value for this parameter.
Reproducer:
-----------
1. Create a simple stack where a 'hidden' parameter is used
2. Run 'openstack stack show <stack-id>', the hidden parameter will
appear masked.
3. Run 'openstack stack environment show <stack-id>' the hidden
parameter will appear in plain text.
4. Add 'encrypt_parameters_and_properties = true' to heat.conf and
restart the heat services
5. Repeat steps 1-3, issue should be reproduced
6. Set option in step 4 as 'false' and repeat steps 1-3, issue should
be reproduced
[Regression Potential]
This changes the behavior of the API. If software depends on a hidden parameter being returned, the code will need to update the parameter to not be hidden.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heat/+bug/1999665/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list