MAAS

Probe-and-enlist for SeaMicro chassis writes password to the log

Bug #1428666 reported by Mike Pontillo on 2015-03-05

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	Critical	Mike Pontillo	MAAS 2.0.0
	1.9	Fix Released	Critical	Mike Pontillo	MAAS 1.9.2

Bug Description

Probe-and-enlist for the SeaMicro chassis writes the power parameters to maas.log.

Unfortunately, maas.log is world-readable.

We should just log the MAC addresses found, not the power parameters.

Related branches

lp:~mpontillo/maas/seamicro-dont-log-password

Merged into lp:~maas-committers/maas/trunk at revision 3603

Mike Pontillo (community): Approve on 2015-03-05

lp:~mpontillo/maas/seamicro-dont-log-password-2

Merged into lp:~maas-committers/maas/trunk at revision 3609

Newell Jensen (community): Approve on 2015-03-06

CVE References

2015-1320

Mike Pontillo (mpontillo) on 2015-03-05

Changed in maas:
importance:	Undecided → High
status:	New → In Progress

Mike Pontillo (mpontillo) on 2015-03-05

affects:	maas → maas (Ubuntu)
Changed in maas (Ubuntu):
milestone:	1.7.3 → none

Manuel Seelaus (seelaman) on 2015-03-05

affects:

maas (Ubuntu) → maas

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-04-07:

This is CVE-2015-1320

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-01-20:

What's the status on this issue? Did this get fixed? Does this bug need to remain private?

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-03-31:

This security bug has been open for over a year now. I plan on making this bug public on 2016-05-01.

Revision history for this message

Andres Rodriguez (andreserl) wrote on 2016-04-06:

Hi Marc,

This was fixed in 1.8, 1.9 and 2.0.

We never released this in 1.7 because we have been trying to SRU 1.8 and now 1.9 into trusty for months now and we are still waiting on review from the release team.

We can make a fix for 1.7 and release, but our preference is to just finish the SRU of 1.9.

Thanks.

Revision history for this message

Mike Pontillo (mpontillo) wrote on 2016-04-06:

I'm going ahead and landing this in 1.7 just for completeness. The fix has been ready for about as long as the bug has been open.

Blake Rouse (blake-rouse) on 2016-04-13

Changed in maas:
status:	In Progress → Fix Committed
milestone:	none → 2.0.0
importance:	High → Critical

Andres Rodriguez (andreserl) on 2016-08-18

Changed in maas:
status:	Fix Committed → Fix Released

Seth Arnold (seth-arnold) on 2019-03-21

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.