On 7/3/19 10:01 AM, Fabiano Fidêncio wrote: > Let's not expose user & admin passwords neither by having an option to > be used to set those passwords nor in the debug messages. > > 'CVE-2019-10183' has been assigned to the virt-install --unattended > admin-password=xxx disclosure issue. > > Changes since v1: > https://www.redhat.com/archives/virt-tools-list/2019-July/msg00013.html > - passowrd -> password; > - pwd.read().rstrip("\n\r") -> pwd.readline().rstrip("\n\r") + document > this in our manpage; > - create a new config, with the sanitised password, and use it to print > the script content as a debug message; > > Fabiano Fidêncio (2): > unattended: Read the passwords from a file > unattended: Don't log user & admin passwords > > man/virt-install.pod | 24 ++++++++---- > tests/cli-test-xml/admin-password.txt | 1 + > tests/cli-test-xml/user-password.txt | 3 ++ > tests/clitest.py | 18 +++++---- > virtinst/cli.py | 4 +- > virtinst/install/unattended.py | 56 ++++++++++++++++++++------- > 6 files changed, 76 insertions(+), 30 deletions(-) > create mode 100644 tests/cli-test-xml/admin-password.txt > create mode 100644 tests/cli-test-xml/user-password.txt > Fixed some pylint warnings and pushed Thanks, Cole _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
