From ${URL} : The OpenStack project reports: "" Title: User token leak to message queue in pyCADF notifier middleware Reporter: Zhi Kun Liu (IBM) Products: Neutron (2014.1 versions up to 2014.1.1) Ceilometer (2013.2 versions up to 2013.2.3, 2014.1 versions up to 2014.1.1) pyCADF library (all versions up to 0.5.0) Description: Zhi Kun Liu from IBM reported a vulnerability in the notifier middleware available in the PyCADF library and formerly copied into Neutron and Ceilometer code. An attacker with read access to the message queue may obtain authentication tokens used in REST requests (X_AUTH_TOKEN) that goes through the notifier middleware. All services using the notifier middleware configured after the auth_token middleware pipeline are impacted. "" @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
pyCADF fix (included in 0.5.1 release): https://review.openstack.org/94878 (pyCADF) Juno (development branch) fix: https://review.openstack.org/94891 (Neutron) Icehouse fix: https://review.openstack.org/101097 (Neutron) https://review.openstack.org/96944 (Ceilometer) Havana fix: https://review.openstack.org/101799 (Ceilometer) Notes: Ceilometer Juno (master) branch is not affected. Those fixes will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases.
https://bugs.launchpad.net/oslo/+bug/1321080 better link
*pycadf-0.5-r1 (27 Jun 2014) 27 Jun 2014; Ian Delaney <idella4@gentoo.org> +files/CVE-2014-4615.patch, +pycadf-0.5-r1.ebuild, -pycadf-0.5.ebuild: sec. patch wrt Bug #515050, add IUSE, doc build, fix test phase, rm vuln. version
does this mean we need to fix it outside of the pycadf lib?
CVE-2014-4615 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4615): The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).
ya, don't see any vulnerable versions of either package in tree
No vulnerable versions in tree.