http://bugzilla.suse.com/show_bug.cgi?id=1022152 Bug ID: 1022152 Summary: CVE-2017-2592: VUL-0: oslo.middleware: CatchErrors leaks sensitive values [OSSA-2017-001] Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/205 ================================================ ==================================================================== OSSA-2017-001: CatchErrors leaks sensitive values in oslo.middleware ==================================================================== :Date: January 26, 2017 :CVE: CVE-2017-2592 Affects ~~~~~~~ - Oslo.middleware: <=3.8.0, >=3.9.0 <=3.19.0, >=3.20.0 <=3.23.0 Description ~~~~~~~~~~~ Divya K Konoor with IBM reported a vulnerability in oslo.middleware. Software using the CatchError class may include sensitive values in the error message accompanying a Traceback, resulting in their disclosure. For example, complete API requests (including keystone tokens in their headers) may leak into neutron error logs. Patches ~~~~~~~ - https://review.openstack.org/425734 (Mitaka) - https://review.openstack.org/425732 (Newton) - https://review.openstack.org/425730 (Ocata) Credits ~~~~~~~ - Divya K Konoor from IBM (CVE-2017-2592) References ~~~~~~~~~~ - https://launchpad.net/bugs/1628031 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2592 -- Jeremy Stanley OpenStack Vulnerability Management Team ================================================ https://software.opensuse.org/package/python-oslo.middleware TW: 3.19.0 42.2: 3.19.0 42.1: 2.8.0 -- You are receiving this mail because: You are on the CC list for the bug.