OpenStack Compute (nova)

ironic password config not marked as secret

Bug #1451931 reported by Joe Gordon on 2015-05-05

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Compute (nova)	Fix Released	Medium	Joe Gordon	OpenStack Compute (nova) 12.0.0 "liberty"
Juno	Fix Released	Undecided	Michael McCune	OpenStack Compute (nova) 2014.2.4
Kilo	Fix Released	Undecided	Michael McCune	OpenStack Compute (nova) 2015.1.1
OpenStack Security Advisory	Won't Fix	Undecided	Unassigned
OpenStack Security Notes	Fix Released	Undecided	Michael McCune

Bug Description

The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode.

Tags:

Joe Gordon (jogo) on 2015-05-05

information type:	Public → Public Security
tags:	added: kilo-backport-potential
Changed in nova:
status:	New → Triaged
assignee:	nobody → Joe Gordon (jogo)
importance:	Undecided → Medium

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-05-05:

In the past, the VMT has not considered info leaks in debug logs to warrant an advisory. Reclassifying as security hardening.

information type:	Public Security → Public
tags:	added: security
Changed in ossa:
status:	New → Won't Fix

OpenStack Infra (hudson-openstack) on 2015-05-05

Changed in nova:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-07: Fix merged to nova (master)

Reviewed: https://review.openstack.org/179857
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=63aa353c676a094fbf02e799115a884c70a48002
Submitter: Jenkins
Branch: master

commit 63aa353c676a094fbf02e799115a884c70a48002
Author: Joe Gordon <email address hidden>
Date: Mon May 4 11:19:33 2015 -0700

Mark ironic credential config as secret

Mark ironic credentials as secret so we don't log the values.

Detected with bandit while testing out:
I3026b81317f0a6322acfc94784899a7453af586f

Change-Id: Icfd13b3294a9fa0881a5ab01f50864ebcbce393e
Closes-Bug: #1451931

Changed in nova:
status:	In Progress → Fix Committed

Michael McCune (mimccune) on 2015-06-15

Changed in ossn:
assignee:	nobody → Michael McCune (mimccune)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-22: Fix proposed to nova (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/194289

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-22: Fix proposed to nova (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/194290

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-24: Fix merged to nova (stable/kilo)

Reviewed: https://review.openstack.org/194289
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cd6353af7b2b4b0ef392eb015cbba9122a64f8bf
Submitter: Jenkins
Branch: stable/kilo

commit cd6353af7b2b4b0ef392eb015cbba9122a64f8bf
Author: Joe Gordon <email address hidden>
Date: Mon May 4 11:19:33 2015 -0700

Mark ironic credential config as secret

Mark ironic credentials as secret so we don't log the values.

Detected with bandit while testing out:
I3026b81317f0a6322acfc94784899a7453af586f

Change-Id: Icfd13b3294a9fa0881a5ab01f50864ebcbce393e
Closes-Bug: #1451931

Thierry Carrez (ttx) on 2015-06-24

Changed in nova:
milestone:	none → liberty-1
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-01: Fix merged to nova (stable/juno)

Reviewed: https://review.openstack.org/194290
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3b9ae165f7f93424b489bfb992f935d5d5e749f2
Submitter: Jenkins
Branch: stable/juno

commit 3b9ae165f7f93424b489bfb992f935d5d5e749f2
Author: Joe Gordon <email address hidden>
Date: Mon May 4 11:19:33 2015 -0700

Mark ironic credential config as secret

Mark ironic credentials as secret so we don't log the values.

Detected with bandit while testing out:
I3026b81317f0a6322acfc94784899a7453af586f

Change-Id: Icfd13b3294a9fa0881a5ab01f50864ebcbce393e
Closes-Bug: #1451931

Michael McCune (mimccune) on 2015-09-02

Changed in ossn:
status:	New → Fix Committed

Thierry Carrez (ttx) on 2015-10-15

Changed in nova:
milestone:	liberty-1 → 12.0.0

Revision history for this message

Nathan Kinder (nkinder) wrote on 2015-11-16:

This has been published as OSSN-0049:

https://wiki.openstack.org/wiki/OSSN/OSSN-0049

Changed in ossn:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.