From 0b074f5c166f091fd0bd62cc4330047ba9dfb4c6 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Thu, 26 Jan 2017 14:55:39 +0000
Subject: [PATCH] OSSA-2017-001 (CVE-2017-2592)

CatchErrors leaks sensitive values in oslo.middleware

Change-Id: I2a85e96f457e58cc7f2160d733bdc7b1fe8de3df
Closes-Bug: #1628031
---
 ossa/OSSA-2017-001.yaml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 ossa/OSSA-2017-001.yaml

diff --git a/ossa/OSSA-2017-001.yaml b/ossa/OSSA-2017-001.yaml
new file mode 100644
index 0000000..036faeb
--- /dev/null
+++ b/ossa/OSSA-2017-001.yaml
@@ -0,0 +1,37 @@
+date: 2017-01-26
+
+id: OSSA-2017-001
+
+title: CatchErrors leaks sensitive values in oslo.middleware
+
+description: >
+  Divya K Konoor with IBM reported a vulnerability in oslo.middleware.
+  Software using the CatchError class may include sensitive values in
+  the error message accompanying a Traceback, resulting in their
+  disclosure. For example, complete API requests (including keystone
+  tokens in their headers) may leak into neutron error logs.
+
+affected-products:
+  - product: oslo.middleware
+    version: "<=3.8.0, >=3.9.0 <=3.19.0, >=3.20.0 <=3.23.0"
+
+vulnerabilities:
+  - cve-id: CVE-2017-2592
+
+reporters:
+  - name: Divya K Konoor
+    affiliation: IBM
+    reported:
+      - CVE-2017-2592
+
+issues:
+  links:
+    - https://launchpad.net/bugs/1628031
+
+reviews:
+  ocata:
+    - https://review.openstack.org/425730
+  newton:
+    - https://review.openstack.org/425732
+  mitaka:
+    - https://review.openstack.org/425734