Re: Re: CVE request for vulnerability in OpenStack Cinder, Nova and Trove

[Tristan Cacqueray <tristan.cacqueray () enovance com>]

On 29/09/14 10:39 PM, cve-assign () mitre org wrote:
> Is this a remaining vulnerability in Cinder 2013.2.4 and
> possibly other products? If so, then we will assign another CVE ID.

The ssh_execute method is indeed prone to password leak if:
- passwords are used on the command line
- execution fail
- calling code catch and log the exception

So far investigations shows that ssh_execute usage does not contain any
passwords but we can't guarantee Cinder and Nova 2013.2.4 releases are
not affected as the vulnerable code is still there so it may be safer to
considered these releases affected.

Apologizes for the confusion,

--
Tristan Cacqueray
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: OpenPGP digital signature