[Openstack-security] [Bug 1506419] Re: Running Flask server in debug mode may be a security issue
Jeremy Stanley
fungi at yuggoth.org
Wed Oct 21 01:00:20 UTC 2015
Sorry, as Garth Mollett pointed out to me via E-mail, this is not simply
an information disclosure but instead a backdoor. Probably the closest
prior report I've seen is bug 1425206.
Though also, Ironic is not currently under OpenStack VMT oversight[*],
so take this as guidance for how I would have classified it were that
not actually the case.
[*]
http://governance.openstack.org/reference/tags/vulnerability_managed.html
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1506419
Title:
Running Flask server in debug mode may be a security issue
Status in Ironic Inspector:
Fix Committed
Status in Ironic Inspector liberty series:
Fix Committed
Status in Ironic Inspector mitaka series:
Fix Committed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
A lot of people default to running their servers in debug mode. While
handy for getting the full logs, in our case it will also allow access
to Flask console, which may pose a security risk. We need a separate
option for this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ironic-inspector/+bug/1506419/+subscriptions
More information about the Openstack-security
mailing list