Bug 1257154 - (CVE-2015-6918) CVE-2015-6918 salt: git module leaks authentication details into log
CVE-2015-6918 salt: git module leaks authentication details into log
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1257155 1257156
Blocks: 1257160
  Show dependency treegraph
Reported: 2015-08-26 07:38 EDT by Adam Mariš
Modified: 2016-01-04 17:14 EST (History)
5 users (show)

See Also:
Fixed In Version: salt-2015.5.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-18 01:40:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-26 07:38:29 EDT
It was found that calling git.clone with https user/pass will leak the authentication details to the log.

Upstream patch:

Comment 1 Adam Mariš 2015-08-26 07:39:20 EDT
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1257155]
Affects: epel-all [bug 1257156]
Comment 2 Siddharth Sharma 2015-11-18 01:39:10 EST

Salt git module is affected in Ceph, but git module is not used by ceph  in production environment. Hence Ceph itself is not affected by this vulnerability but shipped salt git module is.
Comment 4 Erik Johnson 2016-01-04 17:14:22 EST
Just to add some more info here, the auth info was only being leaked at the debug loglevel. Salt ships with the loglevel set to "warning" by default, so the issue would not present itself unless the loglevel was intentionally changed to debug.

2015.5.8 builds were submitted today as updates for the Fedora and EPEL branches, which includes fixes to redact HTTPS basic auth credentials.

Note You need to log in before you can comment on or make changes to this bug.