An information disclosure vulnerability in oslo.middleware was found. Software using the CatchError class may include sensitive values in the error message accompanying a Traceback, resulting in their disclosure. For example, complete API requests (including keystone tokens in their headers) may leak into neutron error logs. Affected versions: <=3.8.0, >=3.9.0 <=3.19.0, >=3.20.0 <=3.22.0
Acknowledgments: Name: the OpenStack project Upstream: Divya K Konoor (IBM)
Created attachment 1243810 [details] Ocata patch
Created attachment 1243811 [details] Newton patch
Created attachment 1243812 [details] Mitaka patch
Created python-oslo-middleware tracking bugs for this issue: Affects: openstack-rdo [bug 1417592] Affects: fedora-all [bug 1417593]
Public via: http://lists.openstack.org/pipermail/openstack-announce/2017-January/002002.html Upstream bug: https://bugs.launchpad.net/keystonemiddleware/+bug/1628031
*** Bug 1417538 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2017:0300 https://rhn.redhat.com/errata/RHSA-2017-0300.html
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2017:0435 https://rhn.redhat.com/errata/RHSA-2017-0435.html