Project

Profile

Help

Issue #1890

pulp-qpid-ssl-cfg echoes the NSS DB password

Added by rbarlow over 4 years ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.5
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 4
Quarter:

Description

Sander Bos reported that the pulp-qpid-ssl-cfg script echoes the NSS DB password. The password likely has little use for the admin, so there is no need for it to be printed. Echoing it will allow an observer to view the password on an admin's screen. However, since the script's shebang invokes bash and echo is a bash built-in, this password does not end up in the process table.

This password is stored in a file for qpidd to use. I recommend printing the path to that file for the user, rather than telling the password directly. If the user really wants to know the password, they can retrieve it that way.

I spoke with Red Hat Product Security, and we agreed that this was not a CVE but rather a silly behavior and so we should fix it as security hardening, but not as a security vulnerability.

Associated revisions

Revision 76e3e93d View on GitHub
Added by jortel@redhat.com over 4 years ago

NSS DB password no longer printed. closes #1890

Revision 76e3e93d View on GitHub
Added by jortel@redhat.com over 4 years ago

NSS DB password no longer printed. closes #1890

History

#1 Updated by dkliban@redhat.com over 4 years ago

  • Platform Release set to 2.8.4
  • Triaged changed from No to Yes

#2 Updated by semyers over 4 years ago

  • Platform Release changed from 2.8.4 to 2.8.5

#3 Updated by Anonymous over 4 years ago

  • Sprint/Milestone set to 22

#4 Updated by jortel@redhat.com over 4 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com

#5 Updated by jortel@redhat.com over 4 years ago

  • Status changed from ASSIGNED to POST

#6 Updated by jortel@redhat.com over 4 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#7 Updated by semyers over 4 years ago

  • Status changed from MODIFIED to 5

#8 Updated by semyers over 4 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#9 Updated by bmbouter over 2 years ago

  • Sprint set to Sprint 4

#10 Updated by bmbouter over 2 years ago

  • Sprint/Milestone deleted (22)

#11 Updated by bmbouter over 1 year ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF