24 lines
1.1 KiB
YAML
24 lines
1.1 KiB
YAML
---
|
|
security:
|
|
- |
|
|
`OSSA-2019-003`_: Nova Server Resource Faults Leak External Exception
|
|
Details (CVE-2019-14433)
|
|
|
|
This release contains a security fix for `bug 1837877`_ where users
|
|
without the admin role can be exposed to sensitive error details in
|
|
the server resource fault ``message``.
|
|
|
|
There is a behavior change where non-nova exceptions will only record
|
|
the exception class name in the fault ``message`` field which is exposed
|
|
to all users, regardless of the admin role.
|
|
|
|
The fault ``details``, which are only exposed to users with the admin role,
|
|
will continue to include the traceback and also include the exception
|
|
value which for non-nova exceptions is what used to be exposed in the
|
|
fault ``message`` field. Meaning, the information that admins could see
|
|
for server faults is still available, but the exception value may be in
|
|
``details`` rather than ``message`` now.
|
|
|
|
.. _OSSA-2019-003: https://security.openstack.org/ossa/OSSA-2019-003.html
|
|
.. _bug 1837877: https://bugs.launchpad.net/nova/+bug/1837877
|