From c54ed705df6588194d134abe1762aae5e0e5a39b Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Wed, 22 Mar 2017 14:23:58 +0000
Subject: [PATCH] OSSA-2017-002 (CVE-2017-7214)

Nova logs sensitive context from notification exceptions

Change-Id: Iec1deae6bbe7fc73045c2abf9b3d44bafa86acc0
Closes-Bug: #1673569
---
 ossa/OSSA-2017-002.yaml | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 ossa/OSSA-2017-002.yaml

diff --git a/ossa/OSSA-2017-002.yaml b/ossa/OSSA-2017-002.yaml
new file mode 100644
index 0000000..38549d5
--- /dev/null
+++ b/ossa/OSSA-2017-002.yaml
@@ -0,0 +1,38 @@
+date: 2017-03-23
+
+id: OSSA-2017-002
+
+title: Nova logs sensitive context from notification exceptions
+
+description: >
+   Matt Riedemann with Huawei reported a vulnerability in Nova. Legacy
+   notification exception contexts appearing in ERROR level logs may include
+   sensitive information such as account passwords and authorization tokens.
+   All Nova setups are affected.
+
+affected-products:
+  - product: Nova
+    version: ">=13.0.0 <=13.1.3, >=14.0.0 <=14.0.4, >=15.0.0 <=15.0.1"
+
+vulnerabilities:
+  - cve-id: CVE-2017-7214
+
+reporters:
+  - name: Matt Riedemann
+    affiliation: Huawei
+    reported:
+      - CVE-2017-7214
+
+issues:
+  links:
+    - https://launchpad.net/bugs/1673569
+
+reviews:
+  pike:
+    - https://review.openstack.org/446948
+  ocata:
+    - https://review.openstack.org/447071
+  newton:
+    - https://review.openstack.org/447072
+  mitaka:
+    - https://review.openstack.org/447075