diff -Nru heat-10.0.2/debian/changelog heat-10.0.2/debian/changelog --- heat-10.0.2/debian/changelog 2018-10-03 04:24:40.000000000 +0000 +++ heat-10.0.2/debian/changelog 2023-05-11 06:25:50.000000000 +0000 @@ -1,8 +1,18 @@ -heat (1:10.0.2-0ubuntu1~cloud0) xenial-queens; urgency=medium +heat (1:10.0.2-0ubuntu1.1~cloud0) xenial-queens; urgency=medium - * New upstream release for the Ubuntu Cloud Archive. + * New update for the Ubuntu Cloud Archive. - -- Openstack Ubuntu Testing Bot Wed, 03 Oct 2018 04:24:40 +0000 + -- Openstack Ubuntu Testing Bot Thu, 11 May 2023 06:25:50 +0000 + +heat (1:10.0.2-0ubuntu1.1) bionic-security; urgency=medium + + * SECURITY UPDATE: information leak in API + - debian/patches/CVE-2023-1625.patch: honor 'hidden' parameter in + 'stack environment show' command in heat/engine/service.py, + heat/tests/test_engine_service.py. + - CVE-2023-1625 + + -- Marc Deslauriers Tue, 18 Apr 2023 07:34:49 -0400 heat (1:10.0.2-0ubuntu1) bionic; urgency=medium diff -Nru heat-10.0.2/debian/patches/CVE-2023-1625.patch heat-10.0.2/debian/patches/CVE-2023-1625.patch --- heat-10.0.2/debian/patches/CVE-2023-1625.patch 1970-01-01 00:00:00.000000000 +0000 +++ heat-10.0.2/debian/patches/CVE-2023-1625.patch 2023-04-18 11:34:46.000000000 +0000 @@ -0,0 +1,62 @@ +Backport of: + +From 1305a3152f75c6e62ec5094ea2bfc38f165204cf Mon Sep 17 00:00:00 2001 +From: Chengen Du +Date: Tue, 20 Dec 2022 18:00:00 +0800 +Subject: [PATCH] Honor 'hidden' parameter in 'stack environment show' command + +Related-Bug: #1999665 +Story: 2010484 +Task: 47052 +Change-Id: Ifc51ff6a4deab05002ccded59383416f9a586aa0 +--- + heat/engine/service.py | 12 +++++++++++- + heat/tests/test_engine_service.py | 3 ++- + ...meter-in-stack-env-show-cmd-062065545dfef82a.yaml | 4 ++++ + 3 files changed, 17 insertions(+), 2 deletions(-) + create mode 100644 releasenotes/notes/honor-hidden-parameter-in-stack-env-show-cmd-062065545dfef82a.yaml + +--- a/heat/engine/service.py ++++ b/heat/engine/service.py +@@ -12,6 +12,7 @@ + # under the License. + + import collections ++import copy + import datetime + import functools + import itertools +@@ -1311,7 +1312,16 @@ class EngineService(service.ServiceBase) + :rtype: dict + """ + s = self._get_stack(cnxt, stack_identity, show_deleted=True) +- return s.raw_template.environment ++ tmpl = templatem.Template.load(cnxt, s.raw_template_id, s.raw_template) ++ param_schemata = tmpl.all_param_schemata(tmpl.files) ++ env = copy.deepcopy(s.raw_template.environment) ++ for section in [env_fmt.PARAMETERS, env_fmt.PARAMETER_DEFAULTS]: ++ for param_name in env.get(section, {}).keys(): ++ if (param_name not in param_schemata ++ or not param_schemata[param_name].hidden): ++ continue ++ env[section][param_name] = str('******') ++ return env + + @context.request_context + def get_files(self, cnxt, stack_identity): +--- a/heat/tests/test_engine_service.py ++++ b/heat/tests/test_engine_service.py +@@ -1014,11 +1014,12 @@ class StackServiceTest(common.HeatTestCa + env = {'parameters': {'KeyName': 'EnvKey'}} + tmpl = templatem.Template(t) + stack = parser.Stack(self.ctx, 'get_env_stack', tmpl) ++ stack.store() + + mock_get_stack = self.patchobject(self.eng, '_get_stack') + mock_get_stack.return_value = mock.MagicMock() + mock_get_stack.return_value.raw_template.environment = env +- self.patchobject(parser.Stack, 'load', return_value=stack) ++ self.patchobject(templatem.Template, 'load', return_value=tmpl) + + # Test + found = self.eng.get_environment(self.ctx, stack.identifier()) diff -Nru heat-10.0.2/debian/patches/series heat-10.0.2/debian/patches/series --- heat-10.0.2/debian/patches/series 2018-10-01 15:36:52.000000000 +0000 +++ heat-10.0.2/debian/patches/series 2023-04-18 11:34:42.000000000 +0000 @@ -1 +1,2 @@ sudoers_patch.patch +CVE-2023-1625.patch