)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11805,"name":"Corey Bryant","email":"corey.bryant@canonical.com","username":"coreycb"},"change_message_id":"65e682855c67467761d87199797b673dc8179df8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"69e8510d_08c349bf","updated":"2023-03-09 12:55:38.000000000","message":"I marked the story as a security issue which should get it on the radar of the VMT for review.","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":6737,"name":"Edward Hope-Morley","email":"edward.hope-morley@canonical.com","username":"hopem"},"change_message_id":"f12c18c1669e315c63381f34510e60aba54ec515","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"80cf5473_c3a7b7aa","updated":"2023-02-15 09:59:14.000000000","message":"Takashi, the heat documentation clear states that parameters marked as hidden should not be visible in the output of a show. As a result this patch could really be deemed a security fix since the api is effectively leaking secret information. The fact that some software is relying on the existence of this bug does not justify not fixing and backporting it. The software should behave as documented and that is what this patch addresses. Therefore I believe that we absolutely should backport this patch and any software that is relying on this information should be fixed accordingly.","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"0b7cc6783122eabc065b5e8a5b874be7e51e461d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"9df5cc4d_45c4b24a","updated":"2023-02-13 13:46:55.000000000","message":"This has user impact and is not very good candidate for backport. Actually we recently found this breaks TripleO which relies on environment API to obtain some secrets from stack info.","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":35639,"name":"ChengEn, Du","display_name":"Chengen Du","email":"chengen.du@canonical.com","username":"chengendu"},"change_message_id":"07b554bc571951700f779c901430abd1197b2da4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"cd7dd8a2_737fdac6","updated":"2023-03-29 10:00:06.000000000","message":"We have received confirmation from Red Hat that the issue has been identified as a CVE.\nFor further details, we kindly recommend referring to the following link: https://access.redhat.com/security/cve/CVE-2023-1625.\n\nConsidering the severity of the vulnerability,\nwould it be appropriate to consider backporting the patch to the stable release?","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":6737,"name":"Edward Hope-Morley","email":"edward.hope-morley@canonical.com","username":"hopem"},"change_message_id":"c7618e7cc810004d9ad48b52dd09afdfcbf3f443","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"3911b774_2e9c49ae","in_reply_to":"255ce7a8_2a8b7d4f","updated":"2023-02-15 11:36:13.000000000","message":"Takashi, the doc you pasted is the one i was referring to. There is no mention of hidden parameters in the actual api doc unfortunately.\n\nRabi, when users upgrade to Antelope they will be impacted anyway since it is now fixed there. Your point about raising as a security advisory is valid.","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"7e5e09062744bf6be39f5729dcedd8f2e4ff3c0f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"738388fe_c7d00472","in_reply_to":"3911b774_2e9c49ae","updated":"2023-02-15 11:43:49.000000000","message":"For new releases it\u0027s fine with the release note. Consumers will change including TripleO. Backport is ticky for API changes which is normally not allowed, unless it\u0027s a CVE.","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":35639,"name":"ChengEn, Du","display_name":"Chengen Du","email":"chengen.du@canonical.com","username":"chengendu"},"change_message_id":"d8fa6c645012c576b034a4c6c00e4e8800a63350","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"b92a2c62_a61d4220","in_reply_to":"5a0f152c_41b6b352","updated":"2023-03-30 01:15:48.000000000","message":"Done","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"5193d5f3d0fda2d089869311f4d323e9d2411107","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"5a0f152c_41b6b352","in_reply_to":"724c8e59_e99f8bbf","updated":"2023-02-14 02:25:00.000000000","message":"we can fix triples so that it relies on a different mechanism but that is just an example showing how this can break external software.\n\nwe should not backport any patches with api impact to avoid such a breakage and unfortunately this is not backportable because of that point, imo","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"bd458e8c60d04d6bc38c9c130880d5118f05891c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"e0c3ddf3_1acececb","in_reply_to":"80cf5473_c3a7b7aa","updated":"2023-02-15 10:36:58.000000000","message":"Do you mind sharing any pointer of that doc ? I was not really aware of one specifically stating the environment API should mask the hidden values. I\u0027m aware the template doc says hidden indicates the parameter should be hidden but I\u0027ve not yet found any document defining specific behavior of APIs.\n\nhttps://docs.openstack.org/heat/latest/template_guide/hot_spec.html#parameters-section\n\nI agree this smelss like a security issue, but at the same time again this has api impact. It\u0027s true relying on the old behavior is not ideal but this is what has been exposed for a long time.\n\nProbably as the next step we can involve security advisories to evaluate how critical this can be and it\u0027s justified to change api response in stable releases for this. I don\u0027t intend to hard block this in case other cores think this is justified.","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":35639,"name":"ChengEn, Du","display_name":"Chengen Du","email":"chengen.du@canonical.com","username":"chengendu"},"change_message_id":"b80ee3fdccf0ea25c5ecd2d87ae03ef815c731ef","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"724c8e59_e99f8bbf","in_reply_to":"9df5cc4d_45c4b24a","updated":"2023-02-14 02:01:55.000000000","message":"May I ask if TripleO needs to implement by another API or if our patch needs to change?","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"b85a456b53cc5a968b77bd522274873dc15fdfd7","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"ec9f3c40_6649e84c","in_reply_to":"cd7dd8a2_737fdac6","updated":"2023-03-29 11:01:21.000000000","message":"I\u0027m not too sure why it appears as our product CVE before it is reported in the community but now it is recognized as CVE we can justify this.\n\nThere are a few follow-up patches (unit tests and release note fix). Can we squash these into this ?\n\nNote, as I left in the ussuri patch we no longer maintain Train and Ussuri which are being EOLed.","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"1745bf036455cfa0e6fa8dbdf659b4aedad59c2d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"255ce7a8_2a8b7d4f","in_reply_to":"e0c3ddf3_1acececb","updated":"2023-02-15 11:28:36.000000000","message":"Though the change is probably fine for backport considering what should be expected when a \"parameter is hidden\", it\u0027s a breaking change. TripleO uses the API for extracting some password parameters from stack environment[1], though they are hidden in templates. TripleO can be changed, but, we probably need to understand the implications for other 3rd party software using it before going with backport. \n\nMaybe creating a CVE bug and involving OpenStack Security will bolster the case for backport. \n\n[1] https://github.com/openstack/tripleo-common/blame/master/tripleo_common/inventory.py#L735","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"},{"author":{"_account_id":35639,"name":"ChengEn, Du","display_name":"Chengen Du","email":"chengen.du@canonical.com","username":"chengendu"},"change_message_id":"d8fa6c645012c576b034a4c6c00e4e8800a63350","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"65d78f2e_eadcf73a","in_reply_to":"ec9f3c40_6649e84c","updated":"2023-03-30 01:15:48.000000000","message":"Sure, we can squash these together.\nThanks for your help.","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"}],"releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"81b24f9c163fe38955852977701de73ab61cb018","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Honor ``hidden`` parameter in ``stack environment show`` command"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"ca2ffc7d_c9f7b709","line":4,"range":{"start_line":4,"start_character":4,"end_line":4,"end_character":68},"updated":"2023-02-15 10:38:12.000000000","message":"I noticed this is not very accuate, because the fix is made at API layer. I\u0027ll submit a patch to update this note to explain the API returns a different response now.","commit_id":"17b0d1c932427a049b1bcc19fa15616df6f85877"}]}