Candidate: CVE-2013-2006
PublicDate: 2013-05-21 18:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2006
 https://review.openstack.org/#/c/26826/2/keystone/common/config.py
 https://bugs.launchpad.net/keystone/+bug/1172195
Description:
 OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is
 enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which
 allows local users to obtain sensitive by reading the log file.
Ubuntu-Description:
Notes:
 jdstrand> requires debug logging to be set in keystone.conf.
  On 12.10 and higher, keystone.conf warns about passwords. Furthermore,
  level=WARNING is used in logging.conf
 jdstrand> 12.04 uses debug = True, but has level=WARNING in logging.conf and
  the log files are not readable on the system (ie the /var/log/keystone
  directory is 0700)
 jdstrand> Keystone on 11.10 is a pre-release version and unusable with other
  components such as nova and horizon
 jdstrand> fix requires a conffile change to fix non-default configurations
  that are marginally affected
Bugs:
 https://bugs.launchpad.net/keystone/+bug/1172195
Priority: negligible
Discovered-by:
Assigned-to: jdstrand
CVSS: 

Patches_keystone:
 upstream: https://review.openstack.org/#/c/26826/
upstream_keystone: needs-triage
hardy_keystone: DNE
lucid_keystone: DNE
oneiric_keystone: ignored
precise_keystone: ignored
quantal_keystone: ignored
raring_keystone: not-affected (1:2013.1.1-0ubuntu1)
devel_keystone: not-affected (1:2013.1.1-0ubuntu1)