This message is to inform you of a security vulnerability that existed in older versions of SQLAlchemy. The following bug was reported against Keystone: https://bugs.launchpad.net/keystone/+bug/918608 The bug pointed out a possible SQL injection issue when Keystone was used in combination with older versions of SQLAlchemy (prior to 0.6.7 or 0.7.0). Note that no other OpenStack projects used the parts of SQLAlchemy affected by this issue. A workaround was committed to Keystone for any system that might still be using an older version of SQLAlchemy. This patch is present in the essex-3 milestone. https://github.com/openstack/keystone/commit/45b36369a39e5e3cde6453312d73f85268dcd372 For reference, the SQLAlchemy issue has been assigned CVE-2012-0805. -- Russell Bryant OpenStack Vulnerability Management Team