OpenStack Security Advisory: 2013-013 CVE: CVE-2013-2013 Date: May 23, 2013 Title: Keystone client local information disclosure Reporter: Jake Dahn (Nebula) Products: python-keystoneclient Affects: All versions

Description: Jake Dahn from Nebula reported a vulnerability that the keystone client only allows passwords to be updated in a clear text command-line argument, which may enable other local users to obtain sensitive information by listing the process and potentially leaves a record of the password within the shell command history.

Fix: https://review.openstack.org/28702

Notes: A fix has already been merged to the python-keystoneclient master branch on 2013-05-21 (commit f2e0818) which adds an interactive password prompt, and will appear in the next release of python-keystoneclient.

References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013 https://bugs.launchpad.net/python-keystoneclient/+bug/938315