2258836 – (CVE-2024-1141) CVE-2024-1141 glance-store: Glance Store access key logged in DEBUG log level

Bug 2258836 (CVE-2024-1141) - CVE-2024-1141 glance-store: Glance Store access key logged in DEBUG log level

Summary: CVE-2024-1141 glance-store: Glance Store access key logged in DEBUG log level

Keywords:
Status:	NEW
Alias:	CVE-2024-1141
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2258837
Blocks:	2258835
TreeView+	depends on / blocked

Reported:	2024-01-17 16:36 UTC by Patrick Del Bello
Modified:	2024-04-03 08:53 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2024-01-17 16:36:01 UTC

A vulnerability was found in python-glance-store. The package logs access_key for glance-store when DEBUG log level is enabled.

Comment 3 Salvatore Bonaccorso 2024-02-12 20:19:06 UTC

If our tracking downstream in Debian is correct, then the fixes upstream should be
https://github.com/openstack/glance_store/commit/a5ba027922ba1230b4ae9abb810f36427be6354a
 and https://github.com/openstack/glance_store/commit/d6e531af4821c8466b1e9404f12f89f6216417f2 .

Is this correct?

Comment 4 Cyril Roelandt 2024-02-13 14:31:07 UTC

Yes.

Note that we have backports on the way:

https://review.opendev.org/q/I9193df38d613259b61bb369fa1040fb2c51a21d7
https://review.opendev.org/q/I8dc564bed33d6fc71965f4f573ae9109b410b1d4

Thanks for your work in Debian!

Note You need to log in before you can comment on or make changes to this bug.