I appreciate that it often isn't appropriate, but in this case it might have been beneficial to include python-keystoneclient version 0.2.4 where this is first resolved.
Thank you, Lloyd On Thu, May 23, 2013 at 1:52 PM, Jeremy Stanley <jer...@openstack.org> wrote: > OpenStack Security Advisory: 2013-013 > CVE: CVE-2013-2013 > Date: May 23, 2013 > Title: Keystone client local information disclosure > Reporter: Jake Dahn (Nebula) > Products: python-keystoneclient > Affects: All versions > > Description: > Jake Dahn from Nebula reported a vulnerability that the keystone > client only allows passwords to be updated in a clear text > command-line argument, which may enable other local users to obtain > sensitive information by listing the process and potentially leaves > a record of the password within the shell command history. > > Fix: > https://review.openstack.org/28702 > > Notes: > A fix has already been merged to the python-keystoneclient master > branch on 2013-05-21 (commit f2e0818) which adds an interactive > password prompt, and will appear in the next release of > python-keystoneclient. > > References: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013 > https://bugs.launchpad.net/python-keystoneclient/+bug/938315 > > -- > Jeremy Stanley (fungi) > OpenStack Vulnerability Management Team > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQJ8BAEBCgBmBQJRnoF7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w > ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5N0FFNDk2RkMwMkRFQzlGQzM1M0IyRTc0 > OEY5OTYxMTQzNDk1ODI5AAoJEEj5lhFDSVgp0egP/1ulEpWpQ+PGB3wnu3mFHJqU > yx9hV1vgQok7+bo9IpYJg5fKbiG+xfK5F3DOAaeuLFH5qidLPTPeSLozRtJAyMfa > lU7uuNA5e1oVDWDjEKaeeoC05cj9gaCx6GF1cdX6HIbMWVtZhBOiBZWEGU3l0lKV > 9dpb0RbJ0xNa7m5NN7N7D7Qg42QGglTalolTAyzOyR7/EnM+iQNKlxIIdhKm3Lrb > 512NnEsPpn2gB3zDU/IKxE6Pvy65dbBDzEos9anE4H7BuSm3QyP4RwWk21QPp+H8 > BQenDw3gahj3YBw14e5qaZgG5V4wdRkru7OOrIuzfPDcsydSD/9xGKmEs6MXXtBh > rCpQ9iUApd1QBtrFWfnmsGrr6H3gGfHzFvBCOg2oWX4t1/cbP01EMTPswO0lpL4B > HobIqng1eg0rKUIfLc4TQRpNBungfatjsBt5lb4ee2ywE3ABOQ47drN/fhVopKT7 > 6OojreEuOdaY0t3u68jwTYafdyqzlvUEirewJE4BYVuDl8ML9UyLhwQOrhUxhk+l > q6aZ6oyMHlL6HLmQoukFzWt5J922QnxYJNq8izfDKHTte5BAyIdOHoV/nMgkyXTN > nOt+tO+lByflI+Jy0K4ppWaaCuBCakWW8GTa7QLi6drxGIjA+vtIROLYsIk1rIDS > byjR9eRNCwVNvv94gXZi > =eJME > -----END PGP SIGNATURE----- > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > -- -- @lloyddewolf http://www.pistoncloud.com/ _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
