[virt-tools-list] [virt-manager PATCH v2 0/2] unattended: Don't expose user & admin passwords
Pavel Hrdina
phrdina at redhat.com
Wed Jul 3 22:13:01 UTC 2019
On Wed, Jul 03, 2019 at 01:32:59PM -0400, Cole Robinson wrote:
> On 7/3/19 10:01 AM, Fabiano Fidêncio wrote:
> > Let's not expose user & admin passwords neither by having an option to
> > be used to set those passwords nor in the debug messages.
> >
> > 'CVE-2019-10183' has been assigned to the virt-install --unattended
> > admin-password=xxx disclosure issue.
> >
> > Changes since v1:
> > https://www.redhat.com/archives/virt-tools-list/2019-July/msg00013.html
> > - passowrd -> password;
> > - pwd.read().rstrip("\n\r") -> pwd.readline().rstrip("\n\r") + document
> > this in our manpage;
> > - create a new config, with the sanitised password, and use it to print
> > the script content as a debug message;
> >
> > Fabiano Fidêncio (2):
> > unattended: Read the passwords from a file
> > unattended: Don't log user & admin passwords
> >
> > man/virt-install.pod | 24 ++++++++----
> > tests/cli-test-xml/admin-password.txt | 1 +
> > tests/cli-test-xml/user-password.txt | 3 ++
> > tests/clitest.py | 18 +++++----
> > virtinst/cli.py | 4 +-
> > virtinst/install/unattended.py | 56 ++++++++++++++++++++-------
> > 6 files changed, 76 insertions(+), 30 deletions(-)
> > create mode 100644 tests/cli-test-xml/admin-password.txt
> > create mode 100644 tests/cli-test-xml/user-password.txt
> >
>
> Fixed some pylint warnings and pushed
Thanks for pushing it, I was about to do the same but had to leave
office.
Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20190704/13509bb0/attachment.sig>
More information about the virt-tools-list
mailing list