Hi all, I'd like to propose the following exception to be included in the next Icehouse release: https://review.openstack.org/#/c/99536/ This is a security related fix, it fixes block device auth_password key get logged at debug level. It may be not critical because generally debug won't be enabled at production environment, but we can't assume all users follow the suggestion. It's better to get this fixed early than later. The patch was already get approved but failed to merge duo to conflict now patch is updated and get a +2. -- Tang Yaguang Canonical Ltd. | www.ubuntu.com | www.canonical.com gpg key: 0x187F664F
I am in favor of adding this one From: Yaguang Tang <yaguang.tang@canonical.com<mailto:yaguang.tang@canonical.com>> Date: Tuesday, August 5, 2014 at 5:19 AM To: "openstack-stable-maint@lists.openstack.org<mailto:openstack-stable-maint@lists.openstack.org>" <openstack-stable-maint@lists.openstack.org<mailto:openstack-stable-maint@lists.openstack.org>> Subject: [Openstack-stable-maint] [nova] Freeze exception Hi all, I'd like to propose the following exception to be included in the next Icehouse release: https://review.openstack.org/#/c/99536/ This is a security related fix, it fixes block device auth_password key get logged at debug level. It may be not critical because generally debug won't be enabled at production environment, but we can't assume all users follow the suggestion. It's better to get this fixed early than later. The patch was already get approved but failed to merge duo to conflict now patch is updated and get a +2. -- Tang Yaguang Canonical Ltd. | www.ubuntu.com<https://urldefense.proofpoint.com/v1/url?u=http://www.ubuntu.com/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=eH0pxTUZo8NPZyF6hgoMQu%2BfDtysg45MkPhCZFxPEq8%3D%0A&m=0tK6KUq%2BoH1PAsKptY8y%2FrPSTH5vECJnl0cThiqKcD8%3D%0A&s=ae414f57b543580acd2cd01ec05a03e4fefd2d9827462b6453c610441f30d665> | www.canonical.com<https://urldefense.proofpoint.com/v1/url?u=http://www.canonical.com/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=eH0pxTUZo8NPZyF6hgoMQu%2BfDtysg45MkPhCZFxPEq8%3D%0A&m=0tK6KUq%2BoH1PAsKptY8y%2FrPSTH5vECJnl0cThiqKcD8%3D%0A&s=599c288cbfb81ae280724d62d6292b8477dfc70b0d6e6018459710e9f8d3dc41> gpg key: 0x187F664F
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/08/14 04:19, Yaguang Tang wrote:
Hi all,
I'd like to propose the following exception to be included in the next Icehouse release: https://review.openstack.org/#/c/99536/
This is a security related fix, it fixes block device auth_password key get logged at debug level.
Do we need OSSA to be released for the issue?
It may be not critical because generally debug won't be enabled at production environment, but we can't assume all users follow the suggestion. It's better to get this fixed early than later.
I agree. Security related fixes *are* critical.
The patch was already get approved but failed to merge duo to conflict now patch is updated and get a +2.
Already approved by Alan. /Ihar -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJT4IjOAAoJEC5aWaUY1u57pcAIAOqN4r34qVFNKBryH+8PqQkw jPopM5/2yYMKSNFeEDJdwO5iy+cJlyXHtQbiIlUj6jHeY7jZlnHT/LlcqVf6rYw7 onVeQJ4SVPocmmykhetG8uoL6GE04cttbf+xXSc/GeUa6b3qsBWy4tWEGBDgXgrr Jz2V+nRG78Q74+Z8/nPVdjFSKA67wUA9sD+8FZn7DrZQdy7z58d1fMiT7QmV6nkC 91Mf9F58gj/ihdmihuyXMjit8a+Rq+d5ySnazcRGEzZ6D2pGbWItWCmp3nmJ521m 8b7fuA4sy8n3izMBPB1R2EhN68YjWFWezHsiLuDW9Iayq6pe3nBSNT8j9qoeUzo= =FeOT -----END PGP SIGNATURE-----
participants (3)
-
Gary Kotton
-
Ihar Hrachyshka
-
Yaguang Tang