As discussed on the stable-maint list[1] such change isn't appropriate for the stable branch. Distros can carry the proposed patch[2] or drop oauth support in their Havana packages, to address security concerns with oauth2. [1] http://lists.openstack.org/pipermail/openstack-stable-maint/2014-March/002242.html [2] https://review.openstack.org/70750 ** Also affects: keystone/havana Importance: Undecided Status: New ** Changed in: keystone/havana Status: New => Won't Fix ** Changed in: keystone/havana Importance: Undecided => High -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1240382 Title: python-oauth2 dependency is unmaintained and has security issues Status in OpenStack Identity (Keystone): Fix Released Status in Keystone havana series: Won't Fix Bug description: oauth2 is not maintained and have 2 CVE issues CVE-2013-4346 and CVE-2013-4347 and is not Python3 compatible can you remove this dependency (maybe switching to requests ? ) To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1240382/+subscriptions