Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2013-2006

Published: 21 May 2013

OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file.

Notes

AuthorNote
jdstrand
requires debug logging to be set in keystone.conf.
On 12.10 and higher, keystone.conf warns about passwords. Furthermore,
level=WARNING is used in logging.conf
12.04 uses debug = True, but has level=WARNING in logging.conf and
the log files are not readable on the system (ie the /var/log/keystone
directory is 0700)
Keystone on 11.10 is a pre-release version and unusable with other
components such as nova and horizon
fix requires a conffile change to fix non-default configurations
that are marginally affected

Priority

Negligible

Status

Package Release Status
keystone
Launchpad, Ubuntu, Debian
upstream Needs triage

hardy Does not exist

lucid Does not exist

oneiric Ignored

precise Ignored

quantal Ignored

raring Not vulnerable
(1:2013.1.1-0ubuntu1)
Patches:
upstream: https://review.openstack.org/#/c/26826/