On Wed, Jul 03, 2019 at 01:32:59PM -0400, Cole Robinson wrote: > On 7/3/19 10:01 AM, Fabiano Fidêncio wrote: > > Let's not expose user & admin passwords neither by having an option to > > be used to set those passwords nor in the debug messages. > > > > 'CVE-2019-10183' has been assigned to the virt-install --unattended > > admin-password=xxx disclosure issue. > > > > Changes since v1: > > https://www.redhat.com/archives/virt-tools-list/2019-July/msg00013.html > > - passowrd -> password; > > - pwd.read().rstrip("\n\r") -> pwd.readline().rstrip("\n\r") + document > > this in our manpage; > > - create a new config, with the sanitised password, and use it to print > > the script content as a debug message; > > > > Fabiano Fidêncio (2): > > unattended: Read the passwords from a file > > unattended: Don't log user & admin passwords > > > > man/virt-install.pod | 24 ++++++++---- > > tests/cli-test-xml/admin-password.txt | 1 + > > tests/cli-test-xml/user-password.txt | 3 ++ > > tests/clitest.py | 18 +++++---- > > virtinst/cli.py | 4 +- > > virtinst/install/unattended.py | 56 ++++++++++++++++++++------- > > 6 files changed, 76 insertions(+), 30 deletions(-) > > create mode 100644 tests/cli-test-xml/admin-password.txt > > create mode 100644 tests/cli-test-xml/user-password.txt > > > > Fixed some pylint warnings and pushed Thanks for pushing it, I was about to do the same but had to leave office. Pavel
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
