It appears that Mistral service logs everything, and doesn't use yet the mask_password (nor mask_dict_password) method. In order to ensure all is properly masked, we have to add some new patterns, and make it case insensitive in order to simplify and avoid duplicated entries. Rebase python-oslo-utils to 3.41.4 to pull the fix in current version The version 3.41.4 will fix a CVE where passwords leaks in logs. This CVE is fixed by cae9aa72377713c2fc93b5cf3fad05b873a55d6d
Errata: s/3.41.4/3.41.3/gi Rebase python-oslo-utils to 3.41.3 to pull the fix in current version The version 3.41.3 will fix a CVE where logs leaks passwords.
Will be fixed in version python-oslo-utils-3.41.3-1.el8ost https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=24730585
Verified , [stack@undercloud-0 ~]$ rpm -qa|grep python3-oslo-utils python3-oslo-utils-3.41.4-0.20200113095842.39870f6.el8ost.noarch [root@undercloud-0 mistral]# pwd /var/log/containers/mistral [root@undercloud-0 mistral]# grep -q passphrase * [root@undercloud-0 mistral]# echo $? 0
If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field. The documentation team will review, edit, and approve the text. If this bug does not require doc text, please set the 'requires_doc_text' flag to '-'.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0657