It was found that calling git.clone with https user/pass will leak the authentication details to the log.
Created salt tracking bugs for this issue:
Affects: fedora-all [bug 1257155]
Affects: epel-all [bug 1257156]
Salt git module is affected in Ceph, but git module is not used by ceph in production environment. Hence Ceph itself is not affected by this vulnerability but shipped salt git module is.
Just to add some more info here, the auth info was only being leaked at the debug loglevel. Salt ships with the loglevel set to "warning" by default, so the issue would not present itself unless the loglevel was intentionally changed to debug.
2015.5.8 builds were submitted today as updates for the Fedora and EPEL branches, which includes fixes to redact HTTPS basic auth credentials.