Bug 2258836 (CVE-2024-1141)

Summary: CVE-2024-1141 glance-store: Glance Store access key logged in DEBUG log level
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, carnil, cyril, eglynn, jjoyce, jschluet, lhh, lsvaty, mburns, mgarciac, pdeore, pgrist, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2258837    
Bug Blocks: 2258835    

Description Patrick Del Bello 2024-01-17 16:36:01 UTC 
A vulnerability was found in python-glance-store. The package logs access_key for glance-store when DEBUG log level is enabled.
Comment 3 Salvatore Bonaccorso 2024-02-12 20:19:06 UTC 
If our tracking downstream in Debian is correct, then the fixes upstream should be
https://github.com/openstack/glance_store/commit/a5ba027922ba1230b4ae9abb810f36427be6354a
 and https://github.com/openstack/glance_store/commit/d6e531af4821c8466b1e9404f12f89f6216417f2 .

Is this correct?
Comment 4 Cyril Roelandt 2024-02-13 14:31:07 UTC 
Yes.

Note that we have backports on the way:

https://review.opendev.org/q/I9193df38d613259b61bb369fa1040fb2c51a21d7
https://review.opendev.org/q/I8dc564bed33d6fc71965f4f573ae9109b410b1d4

Thanks for your work in Debian!
Comment 5 errata-xmlrpc 2024-05-22 20:33:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2732 https://access.redhat.com/errata/RHSA-2024:2732