Mailinglist Archive: opensuse-bugs (4258 mails)

< Previous Next >
[Bug 1022152] New: CVE-2017-2592: VUL-0: oslo.middleware: CatchErrors leaks sensitive values [OSSA-2017-001]
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Thu, 26 Jan 2017 20:44:33 +0000
  • Message-id: <bug-1022152-21960@http.bugzilla.suse.com/>
http://bugzilla.suse.com/show_bug.cgi?id=1022152


Bug ID: 1022152
Summary: CVE-2017-2592: VUL-0: oslo.middleware: CatchErrors
leaks sensitive values [OSSA-2017-001]
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Ref: http://seclists.org/oss-sec/2017/q1/205
================================================
====================================================================
OSSA-2017-001: CatchErrors leaks sensitive values in oslo.middleware
====================================================================

:Date: January 26, 2017
:CVE: CVE-2017-2592


Affects
~~~~~~~
- Oslo.middleware: <=3.8.0, >=3.9.0 <=3.19.0, >=3.20.0 <=3.23.0


Description
~~~~~~~~~~~
Divya K Konoor with IBM reported a vulnerability in oslo.middleware.
Software using the CatchError class may include sensitive values in
the error message accompanying a Traceback, resulting in their
disclosure. For example, complete API requests (including keystone
tokens in their headers) may leak into neutron error logs.


Patches
~~~~~~~
- https://review.openstack.org/425734 (Mitaka)
- https://review.openstack.org/425732 (Newton)
- https://review.openstack.org/425730 (Ocata)


Credits
~~~~~~~
- Divya K Konoor from IBM (CVE-2017-2592)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1628031
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2592

--
Jeremy Stanley
OpenStack Vulnerability Management Team
================================================

https://software.opensuse.org/package/python-oslo.middleware

TW: 3.19.0
42.2: 3.19.0
42.1: 2.8.0

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >