Hi Salvatore,
seems there are two issues mixed here... On 1/18/20 8:46 AM, Salvatore Bonaccorso wrote: > Forwarded: https://tracker.ceph.com/issues/41320 -> user+password end up in log files -> https://github.com/ceph/ceph/pull/30445 and > CVE-2020-1699[0]: https://github.com/ceph/ceph/commit/0443e40c11280ba3b7efcba61522afa70c4f8158 which points to https://tracker.ceph.com/issues/43607 - but that bug doesn't seem to be public. The combination of both is the interesting part as (not tested) I guess you can retrieve the log with the logged user/password via the buggy web server. I'd guess that upstream releases 14.2.7 really soon, if not I'll patch the current version and upload it. Thanks, Bernd -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
