Bug 1257154 (CVE-2015-6918)
| Summary: | CVE-2015-6918 salt: git module leaks authentication details into log | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | andrewniemants, carnil, ceph-eng-bugs, erik, sisharma |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | salt-2015.5.5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-18 06:40:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1257155, 1257156 | ||
| Bug Blocks: | 1257160 | ||
|
Description
Adam Mariš
2015-08-26 11:38:29 UTC
Created salt tracking bugs for this issue: Affects: fedora-all [bug 1257155] Affects: epel-all [bug 1257156] Analysis: Salt git module is affected in Ceph, but git module is not used by ceph in production environment. Hence Ceph itself is not affected by this vulnerability but shipped salt git module is. Just to add some more info here, the auth info was only being leaked at the debug loglevel. Salt ships with the loglevel set to "warning" by default, so the issue would not present itself unless the loglevel was intentionally changed to debug. 2015.5.8 builds were submitted today as updates for the Fedora and EPEL branches, which includes fixes to redact HTTPS basic auth credentials. |