This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: CatchErrors leaks sensitive values in oslo.middleware Reporter: Divya K Konoor (IBM) Products: oslo.middleware Affects: <=3.8.0, >=3.9.0 <=3.19.0, >=3.20.0 <=3.23.0 Description: Divya K Konoor with IBM reported a vulnerability in oslo.middleware. Software using the CatchError class may include sensitive values in the error message accompanying a Traceback, resulting in their disclosure. For example, complete API requests (including keystone tokens in their headers) may leak into neutron error logs. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to their corresponding branches on the public disclosure date. CVE: CVE-2017-2592 Proposed public disclosure date/time: Thursday, January 26, 2017, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Original private report: https://launchpad.net/bugs/1628031 For access to read and comment on this report, please reply to me with your Launchpad username and I will subscribe you.
Now public. @ Maintainer(s): Please proceed and push the updated package to the repository!
Would have been nice to be pinged earlier on this, made the same bug almost. I am part of the security ml for openstack so this shouldn't remain hidden from be before public date. in anycase, fix pushed and tree cleaned up. =dev-python/oslo-middleware-3.19.0-r1 =dev-python/oslo-middleware-3.8.0-r2 have the fix, removing self from cc
GLSA Vote: No Maintainer already stabilized, repository is clean.
