[Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

Lloyd Dewolf lloydostack at gmail.com
Mon Jun 3 17:01:03 UTC 2013


I appreciate that it often isn't appropriate, but in this case it
might have been beneficial to include python-keystoneclient version
0.2.4 where this is first resolved.

Thank you,
Lloyd


On Thu, May 23, 2013 at 1:52 PM, Jeremy Stanley <jeremy at openstack.org> wrote:
> OpenStack Security Advisory: 2013-013
> CVE: CVE-2013-2013
> Date: May 23, 2013
> Title: Keystone client local information disclosure
> Reporter: Jake Dahn (Nebula)
> Products: python-keystoneclient
> Affects: All versions
>
> Description:
> Jake Dahn from Nebula reported a vulnerability that the keystone
> client only allows passwords to be updated in a clear text
> command-line argument, which may enable other local users to obtain
> sensitive information by listing the process and potentially leaves
> a record of the password within the shell command history.
>
> Fix:
> https://review.openstack.org/28702
>
> Notes:
> A fix has already been merged to the python-keystoneclient master
> branch on 2013-05-21 (commit f2e0818) which adds an interactive
> password prompt, and will appear in the next release of
> python-keystoneclient.
>
> References:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013
> https://bugs.launchpad.net/python-keystoneclient/+bug/938315
>
> --
> Jeremy Stanley (fungi)
> OpenStack Vulnerability Management Team
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQJ8BAEBCgBmBQJRnoF7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5N0FFNDk2RkMwMkRFQzlGQzM1M0IyRTc0
> OEY5OTYxMTQzNDk1ODI5AAoJEEj5lhFDSVgp0egP/1ulEpWpQ+PGB3wnu3mFHJqU
> yx9hV1vgQok7+bo9IpYJg5fKbiG+xfK5F3DOAaeuLFH5qidLPTPeSLozRtJAyMfa
> lU7uuNA5e1oVDWDjEKaeeoC05cj9gaCx6GF1cdX6HIbMWVtZhBOiBZWEGU3l0lKV
> 9dpb0RbJ0xNa7m5NN7N7D7Qg42QGglTalolTAyzOyR7/EnM+iQNKlxIIdhKm3Lrb
> 512NnEsPpn2gB3zDU/IKxE6Pvy65dbBDzEos9anE4H7BuSm3QyP4RwWk21QPp+H8
> BQenDw3gahj3YBw14e5qaZgG5V4wdRkru7OOrIuzfPDcsydSD/9xGKmEs6MXXtBh
> rCpQ9iUApd1QBtrFWfnmsGrr6H3gGfHzFvBCOg2oWX4t1/cbP01EMTPswO0lpL4B
> HobIqng1eg0rKUIfLc4TQRpNBungfatjsBt5lb4ee2ywE3ABOQ47drN/fhVopKT7
> 6OojreEuOdaY0t3u68jwTYafdyqzlvUEirewJE4BYVuDl8ML9UyLhwQOrhUxhk+l
> q6aZ6oyMHlL6HLmQoukFzWt5J922QnxYJNq8izfDKHTte5BAyIdOHoV/nMgkyXTN
> nOt+tO+lByflI+Jy0K4ppWaaCuBCakWW8GTa7QLi6drxGIjA+vtIROLYsIk1rIDS
> byjR9eRNCwVNvv94gXZi
> =eJME
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>



-- 
--
@lloyddewolf
http://www.pistoncloud.com/




More information about the Openstack mailing list