RHSA-2014:1939 - Security Advisory

Overview
Updated Packages

Synopsis

Low: openstack-trove security update

Type/Severity

Security Advisory: Low

Topic

Updated openstack-trove packages that fix two security issues are now
available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat
Enterprise Linux 7.

Red Hat Product Security has rated this update as having Low security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

OpenStack Database (trove) is Database as a Service for Openstack. It runs
entirely on OpenStack, with the goal of allowing users to quickly and
easily utilize the features of a database without the burden of handling
complex administrative tasks. Cloud users and database administrators can
provision and manage multiple database instances as needed.

It was found that the processutils.execute() and strutils.mask_password()
functions did not correctly sanitize the authentication details from their
output before storing them in log files. This could allow an attacker with
read access to these log files to obtain sensitive information such as
passwords. (CVE-2014-7230, CVE-2014-7231)

The openstack-trove packages have been upgraded to upstream version
2014.1.3, which provides a number of bug fixes and enhancements over the
previous version. (BZ#1149745)

All openstack-trove users are advised to upgrade to these updated packages,
which correct these issues and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 5.0 for RHEL 7 x86_64

Fixes

BZ - RHSA-2014:1939 - CVE-2014-7230 CVE-2014-7231 OpenStack Cinder, Nova, Trove: potential leak of passwords into log files
BZ - RHSA-2014:1939 - Rebase openstack-trove to 2014.1.3

CVEs

References

http://www.redhat.com/security/updates/classification/#normal

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 5.0 for RHEL 7

SRPM
openstack-trove-2014.1.3-1.el7ost.src.rpm	SHA-256: 19eeb66031aa03f0be9f2a9dfb3b77d7769118687e15034730e0026e461777cd
x86_64
openstack-trove-2014.1.3-1.el7ost.noarch.rpm	SHA-256: e87a7c73d7b1f16dd8c13f3cdaf971eb89f65b7c173ba5bf2991f7274a30fc0e
openstack-trove-api-2014.1.3-1.el7ost.noarch.rpm	SHA-256: 4b0c25988175efb3c7195ff3237efc8f503983d74a3269eedd7b0d3480691bd0
openstack-trove-common-2014.1.3-1.el7ost.noarch.rpm	SHA-256: d7eee4006360750af7287d075668efa8bca4ca4ffcc267c15c3faa1dab77895b
openstack-trove-conductor-2014.1.3-1.el7ost.noarch.rpm	SHA-256: 5b8826436218797f0f12b929851f96edadcd4607fac3cc765bfb19b58e5e9673
openstack-trove-guestagent-2014.1.3-1.el7ost.noarch.rpm	SHA-256: 6b3736579c5cfeef227ec0ee37b4b6ae511cd7f0f4d9b9b6ea5fe1ce56b09d38
openstack-trove-taskmanager-2014.1.3-1.el7ost.noarch.rpm	SHA-256: 8ae2d5ce958bff9e3c109bbc9b6ee2ce03f7a404c5659793ef0d52bd5a4d1cb4
python-trove-2014.1.3-1.el7ost.noarch.rpm	SHA-256: e7430ef321705f69efea82719c387cb6f3ce239e9cd3bbe8e8fff23e56eb3b32

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories