CVE-2016-9593: Filter out passwords from answer file and cert keys
Executing a foreman-debug (foreman-debug-188.8.131.52-1.el7sat.noarch) I noticed it captured the following files containing passwords:
Sample entry (I have used XXXXXX to mask password)
The following log files captured also contained passwords:
Sample entry of keystore passwords being captured (I have used XXXXXX to mask password)
[DEBUG 2016-07-28 14:24:13 main] Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXXXXXXXXXX -srcstorepass XXXXXXXXXXXXXXXX -noprompt && rm /tmp/keystore.p12'
The following keystore files were also collected by foreman-debug, the private keystore files are most concerning:
#1 Updated by The Foreman Bot over 6 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3952 added
#2 Updated by Daniel Lobato Garcia over 6 years ago
- Target version set to 1.5.2
#3 Updated by Lukas Zapletal over 6 years ago
#4 Updated by Dominic Cleal about 6 years ago
Lukas Zapletal wrote:
If you've requested a CVE for this issue, please follow the Security_process! It should be listed on the Foreman security page and you should be consulting or notifying the foreman-security list.
#5 Updated by Lukas Zapletal about 6 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 8c9db4bfea2f5fb14de2241dd7182a608baa7337.
#6 Updated by Dominic Cleal about 6 years ago
- Legacy Backlogs Release (now unused) set to 209
#7 Updated by Daniel Lobato Garcia about 6 years ago
- Target version changed from 1.5.2 to 1.11.0
#8 Updated by Lukas Zapletal about 6 years ago
- Subject changed from Filter out passwords from answer file and cert keys to CVE-2016-9593: Filter out passwords from answer file and cert keys
I haven't requested anything, Dominic. This is low score, leaving this on 1.15.
#9 Updated by Dominic Cleal about 6 years ago
Whoever decided to assign a CVE identifier to an issue in Foreman should in future bother notifying email@example.com.
Fixes #17005 - more strict debug password filter