Description of problem: It will re-set the admin password if you only provide confirm password. And it will result the admin can login without provide password. It also trigger to disable CIM when just provide confirm password without enable CIM. Version-Release number of selected component (if applicable): rhevh-6.5-20140120.0 ovirt-node-3.0.1-18.el6_5.noarch How reproducible: 100% Steps to Reproduce: 1. Install rhevh-6.5-20140120.0. 2. Re-set admin password as follows. Password: __________ Confirm Password: redhat 3. Logout and login with admin 4. Configure CIM as follows. Enable CIM [] CIM password Password: __________ Confirm Password: redhat Actual results: 1. After step2, it will prompt that all changes were applied successfully. 2. After step3, it will not require admin password and login directly. 3. After step4, it will prompt that all changes were applied successfully. Expected results: 1. It should not allow just provide confirm password to change the admin password or trigger to configure CIM. Additional info:
No such issue in RHEV-H 6.4-20131003.0.el6. So this issue should be a regression bug.
Hi Fabian, This bug is regression bug, can we try to fix it asap(6.5update2)? Thanks Ying
Add elif statement to check password == "" and confirmation != "" http://gerrit.ovirt.org/#/c/24308/
Using jenkins build : http://jenkins.ovirt.org/job/node-devel/1438/distro=centos64/artifact/ovirt-node-iso-3.1.0-0.999.1438.el6.iso to test follow: For admin password and CIM password, (a)if you only provide confirm password, it will prompt "Please Check Password Entry" and disable "Save" button. (b)if you only provide password, it will prompt "Please Check Confirm Password Entry" and disable "Save" button.
Thanks for your report! I am not sure if we need to treat this as a security issue as I assume you need to know the administrator password to get to the password reset functionality in the first place. I am going to see if Petr Matousek, the security response team's RHEV expert, can take a quick look. Thanks, -- Murray McAllister / Red Hat Security Response Team
Hey Murray, I already reached out to Petr and this is no security issue. I guess I was using the Security keyword incorrectly. Until now I thought that it was used to "tag" possible security related bugs, but it seems that this will also automatically pull someone in from the SRT, is that correct?
I believe you are using it correctly. I should have checked with Petr first before asking in the bug. And yes, SRT will be notified when a bug is tagged with the security keyword, but please continue to use it if you have possible security related bugs. Sorry for all the noises!
Test Version: rhev-hypervisor6-6.6-20141212.0 ovirt-node-3.1.0-0.34.20141210git0c9c493.el6.noarch Steps to Reproduce: 1. Install rhev-hypervisor6-6.6-20141212.0. 2. Re-set admin password as follows. Password: __________ Confirm Password: redhat 3. Configure CIM as follows. Enable CIM [] CIM password Password: __________ Confirm Password: redhat Actual results: 1. After step2, it can not click save button. 3. After step3, it can not click save button. So this issue is fixed in rhev-hypervisor6-6.6-20141212.0 now. Change the status from ON_QA to Verified.
And also no such issue in rhev-hypervisor7-7.0-20141212.0.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0160.html