Bug 1257154 - (CVE-2015-6918) CVE-2015-6918 salt: git module leaks authentication details into log
CVE-2015-6918 salt: git module leaks authentication details into log
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150819,reported=2...
: Security
Depends On: 1257155 1257156
Blocks: 1257160
  Show dependency treegraph
 
Reported: 2015-08-26 07:38 EDT by Adam Mariš
Modified: 2016-01-04 17:14 EST (History)
5 users (show)

See Also:
Fixed In Version: salt-2015.5.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-18 01:40:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-26 07:38:29 EDT
It was found that calling git.clone with https user/pass will leak the authentication details to the log.

Upstream patch:

https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
Comment 1 Adam Mariš 2015-08-26 07:39:20 EDT
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1257155]
Affects: epel-all [bug 1257156]
Comment 2 Siddharth Sharma 2015-11-18 01:39:10 EST
Analysis:

Salt git module is affected in Ceph, but git module is not used by ceph  in production environment. Hence Ceph itself is not affected by this vulnerability but shipped salt git module is.
Comment 4 Erik Johnson 2016-01-04 17:14:22 EST
Just to add some more info here, the auth info was only being leaked at the debug loglevel. Salt ships with the loglevel set to "warning" by default, so the issue would not present itself unless the loglevel was intentionally changed to debug.

2015.5.8 builds were submitted today as updates for the Fedora and EPEL branches, which includes fixes to redact HTTPS basic auth credentials.

Note You need to log in before you can comment on or make changes to this bug.