Bug 1192504
Summary: | rubygem-rest-client: plain text passwords are being logged | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abaron, aortega, apatters, apevec, ayoung, bhu, bkearney, bleanhar, cbillett, ccoleman, chrisw, cpelland, dajohnso, dallan, dclarizi, dmcphers, esammons, gkotton, gmccullo, iboverma, jdetiber, jhardy, jialiu, jkeck, joelsmith, jokerman, jprause, jrafanie, jross, jrusnack, jvlcek, katello-bugs, kseifried, lhh, lmeyer, lpeer, markmc, matt, mburns, mcressma, mfojtik, mmccomas, mmccune, mrg-program-list, obarenbo, rbryant, rhos-maint, sclewis, tbielawa, tdawson, tjay, tomckay, williams, xlecauch, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygem-rest-client 1.7.3 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-04-01 20:34:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1192505, 1192506, 1192507, 1240983 | ||
Bug Blocks: | 1192509 |
Description
Vasyl Kaigorodov
2015-02-13 15:03:52 UTC
Created rubygem-rest-client tracking bugs for this issue: Affects: fedora-all [bug 1192505] Affects: epel-all [bug 1192506] Technical analysis: This vulnerability affects all known versios of rest-client. The accepted fix is to redact password part of the URL: sanitized_url = begin uri = URI.parse(url) uri.password = "REDACTED" if uri.password uri.to_s The fix is done by commit 60ae4a5373e574bdeacd7b526c72f4e7d0ca858f and is included in 1.7.3 release. References: https://github.com/xaviershay/rest-client/commit/60ae4a5373e574bdeacd7b526c72f4e7d0ca858f |