[Openstack-security] [Bug 1240382] Re: python-oauth2 dependency is unmaintained and has security issues
OpenStack Infra
1240382 at bugs.launchpad.net
Sat Jan 18 22:42:11 UTC 2014
Reviewed: https://review.openstack.org/64427
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bed88a2e724f5f23a1c839b7872b1bc56f059df5
Submitter: Jenkins
Branch: master
commit bed88a2e724f5f23a1c839b7872b1bc56f059df5
Author: Matthieu Huin <mhu at enovance.com>
Date: Mon Dec 2 10:43:10 2013 +0100
Replacing python-oauth2 by oauthlib
This patch replaces the old, unmaintained python-oauth2 library
by the better suited oauthlib in keystone oAuth modules.
The library switch comes with two notable changes in terms of use:
* the client must set the callback uri to 'oob' (out-of-band)
explicitly when requesting a Request Token
* the requested_project_id header is not included in the signature
anymore, in compliance with the oAuth1 spec.
Closes-Bug: 1240382
Change-Id: Ie553830cc80075aa818e719604e6bc4c754d2ae3
** Changed in: keystone
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1240382
Title:
python-oauth2 dependency is unmaintained and has security issues
Status in OpenStack Identity (Keystone):
Fix Committed
Bug description:
oauth2 is not maintained and have 2 CVE issues CVE-2013-4346 and CVE-2013-4347 and is not Python3 compatible
can you remove this dependency (maybe switching to requests ? )
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1240382/+subscriptions
More information about the Openstack-security
mailing list