Description Agostino Sarubbo 2016-01-07 20:18:46 UTC

From ${URL} :

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

Title: Xen connection password leak in logs via StorageError
Reporter: Matt Riedemann (IBM)
Products: Nova
Affects: >= 2014.2 <= 2015.1.2, ==12.0.0

Description:
Matt Riedemann from IBM reported an information disclosure vulnerability
in Nova. If a StorageError occurs when attempting to connect a volume
using the Xen API, the connection parameters will be logged. These
parameters may include credentials that are not masked. An attacker
with read access to Nova logs could use these credentials with the
Xen API directly. Only Nova deployments using the Xen backend are
affected by this flaw.

References:
https://launchpad.net/bugs/1516765


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.