Candidate: CVE-2015-3646
PublicDate: 2015-05-12 19:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3646
 http://www.openwall.com/lists/oss-security/2015/05/04/10
 http://lists.openstack.org/pipermail/openstack-announce/2015-May/000356.html
Description:
 OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4
 logs the backend_argument configuration option content, which allows remote
 authenticated users to obtain passwords and other sensitive backend
 information by reading the Keystone logs.
Ubuntu-Description:
 seth-arnold> Upstream mentions kilo not affected
 mdeslaur> not going to be fixed before 14.10 goes EoL
Notes:
Bugs:
 https://bugs.launchpad.net/keystone/+bug/1443598
Priority: medium
Discovered-by: Eric Brown
Assigned-to:
CVSS: 

Patches_keystone:
 upstream: https://review.openstack.org/175519 (icehouse)
 upstream: https://review.openstack.org/173116 (juno)
upstream_keystone: released (2015.1.0-1)
precise_keystone: not-affected (code not present)
trusty_keystone: not-affected (1:2014.1.5-0ubuntu1)
trusty/esm_keystone: DNE (trusty was not-affected [1:2014.1.5-0ubuntu1])
utopic_keystone: ignored (reached end-of-life)
vivid_keystone: not-affected (1:2015.1.0-0ubuntu1)
devel_keystone: not-affected (2:8.0.0~b1-0ubuntu1)