Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <517771F6.7090900@redhat.com>
Date: Tue, 23 Apr 2013 23:47:34 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>,
        Thierry Carrez <thierry@...nstack.org>
Subject: CVE-2013-2006 OpenStack keystone LDAP password disclosure in log
 files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So as part of https://bugs.launchpad.net/ossn/+bug/1168252 we have
CVE-2013-1977 for the insecure file permissions (devstack/etc.). We
also have the password being logged and exposed in the log files:

https://review.openstack.org/#/c/26826/2/keystone/common/config.py

Please use CVE-2013-2006 for this issue (password being logged to the
log file).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRd3H2AAoJEBYNRVNeJnmTrvYP/0TiNMzFbXIMNG3xIiMbK7pi
mnyfT/ZMNPCnmg1KD2sk51v5ieiw8n5A1HUENULQhJSbGdZQGKnbkPSdWdGGyl6i
TA21oZYuiOuArUnpn2H0awyzjLQpotOvXk0cmCcNBAS0EFqx4+i5T33kzN/vgaN2
2Q1XviUb5lkj5xQOLm63aUIZhg1iEKuHmIWJlzurlIEA2J1Bbq2GZ3bLi03k6DZC
uV+bhB2FNfOH59TFqDiqglaJhVgtM1dVUiHLaVknS9D/IVlD4y86QKZ+fXZdXBuV
pcVVchgQ8EfS+fXwRnEbKrv/4KvsvFkuVZN5+kUYJNtObhnckR7xa93yR0V05rC1
jVaxqeivlv2tTHet3uFnNgVQi1xipjQR+Nakqa+D++BoNP7p4EpiyU8u3NjiYzHP
4zn8LalDSY50lT+khQSYmf/4pJTGLBPkXaOqkw7FMUxJDSlshRvXBCdggFij6LDl
xjjwKFVcfOUFkoLg7UgI/QH3+Ks2jdocr0Hb2I8qDJ3LEs5hQ5Y6xz+8tX+vwAWr
OPbha4MOjPILcqUqvf0quKqr7Zc4qCp6cYE7tzVMdPSvhKOmPlNYob3ul/jGj9ym
7zJ6iWFJwVQamzB0xSBwBtKOoEIopIdVgy8f1p0uJJLh9PsBuBeHyW4GNP26WS7x
Owv0UuGMa8gvDio+BY5c
=UhCV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.