Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1686517 - [ACTIVE-STANDBY]- openstack-octavia: Private keys written to world-readable log files
Summary: [ACTIVE-STANDBY]- openstack-octavia: Private keys written to world-readable l...
Status: ON_DEV
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-octavia
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
Target Milestone: zstream
: 13.0 (Queens)
Assignee: Nir Magnezi
QA Contact: Alexander Stafeyev
Depends On: 1676473
Blocks: 1698576
TreeView+ depends on / blocked
Reported: 2019-03-07 15:51 UTC by Nir Magnezi
Modified: 2019-04-10 16:35 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
As a followup to the fix that resolved CVE-2018-16856, Octavia will now encrypt certificates and keys used for secure communication with amphorae, in its internal workflows. Octavia used to exclude debug-level log prints for specific tasks and flows that were explicitly specified by name, a method that is susceptive to code changes. Added a new option named server_certs_key_passphrase under the certificates section. The default value gets copied from an environment variable named TLS_PASS_AMPS_DEFAULT. In a case where TLS_PASS_AMPS_DEFAULT is not set, and the operator did not fill any other value directly, 'insecure-key-do-not-use-this-key' will be used.
Clone Of: 1676473
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
OpenStack gerrit 641268 None None None 2019-03-07 15:56:26 UTC
OpenStack gerrit 641279 None None None 2019-03-07 15:56:26 UTC

Note You need to log in before you can comment on or make changes to this bug.