CVE-2014-7230
Published: 8 October 2014
The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.
Notes
Author | Note |
---|---|
jdstrand | nova/utils.py on Essex, but it only logs it with debug logging enabled. Reducing the priority for nova on 12.04 LTS. |
ebarretto | trove is GNU trove, and this bug affects Openstack trove. So setting trove status to ignored. |
Priority
Status
Package | Release | Status |
---|---|---|
cinder Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
bionic |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
cosmic |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
disco |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
lucid |
Does not exist
|
|
precise |
Does not exist
|
|
upstream |
Released
(2013.2.4, 2014.1.3)
|
|
utopic |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
wily |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
xenial |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
yakkety |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
zesty |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
vivid |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
trusty |
Released
(1:2014.1.3-0ubuntu1)
|
|
Patches: upstream: https://review.openstack.org/#/c/126052/ (juno) upstream: https://review.openstack.org/#/c/121382/ (icehouse) upstream: https://review.openstack.org/#/c/121095/ (havana) |
||
nova Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
bionic |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
cosmic |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
disco |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
lucid |
Does not exist
|
|
upstream |
Released
(2013.2.4, 2014.1.3)
|
|
utopic |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
wily |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
xenial |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
yakkety |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
zesty |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
vivid |
Not vulnerable
(1:2014.2~rc2-0ubuntu1)
|
|
precise |
Ignored
|
|
trusty |
Released
(1:2014.1.3-0ubuntu1)
|
|
Patches: upstream: https://review.openstack.org/#/c/126047/ (juno) upstream: https://review.openstack.org/#/c/121383/ (icehouse) upstream: https://review.openstack.org/#/c/121096/ (havana) |
||
trove Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Ignored
|
|
cosmic |
Ignored
|
|
disco |
Ignored
|
|
lucid |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(2013.2.4, 2014.1.3)
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Ignored
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
Patches: upstream: https://review.openstack.org/#/c/121417/ (juno) upstream: https://review.openstack.org/#/c/121416/ (icehouse) |