[Openstack-security] [Bug 1479523] Re: Stop using debug for insecure responses
OpenStack Infra
1479523 at bugs.launchpad.net
Wed Jan 6 09:09:04 UTC 2016
Reviewed: https://review.openstack.org/207226
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2afad4dc30cd1e210f2353ce987fe1bbdd8b93d7
Submitter: Jenkins
Branch: master
commit 2afad4dc30cd1e210f2353ce987fe1bbdd8b93d7
Author: Brant Knudson <bknudson at us.ibm.com>
Date: Wed Jul 29 16:29:42 2015 -0500
Config option for insecure responses
oslo.log's "debug" option was co-opted to also indicate that the
responses should include more information. A separate config
option should be used instead so that deployers don't mistakenly
expose themselves to security issues.
The debug option still is used for what it does in oslo.log and
how it works on all other projects -- if you're not using a log
config file it sets the base logger to debug.
SecurityImpact
Change-Id: Icf8dd2f0b88abc89092d487bbcefb525960c4ec6
Closes-Bug: 1479523
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1479523
Title:
Stop using debug for insecure responses
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
If you set debug=true in keystone.conf the server 1) logs at debug level, and 2) sends out insecure responses. Deployers might think that debug=true only does 1, not knowing about 2 since it's not documented in the sample config. The behaviors should be decoupled to improve security a bit.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1479523/+subscriptions
More information about the Openstack-security
mailing list