oss-sec mailing list archives
Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)
From: Lloyd Dewolf <lloydostack () gmail com>
Date: Mon, 3 Jun 2013 10:01:03 -0700
I appreciate that it often isn't appropriate, but in this case it might have been beneficial to include python-keystoneclient version 0.2.4 where this is first resolved. Thank you, Lloyd On Thu, May 23, 2013 at 1:52 PM, Jeremy Stanley <jeremy () openstack org> wrote:
OpenStack Security Advisory: 2013-013 CVE: CVE-2013-2013 Date: May 23, 2013 Title: Keystone client local information disclosure Reporter: Jake Dahn (Nebula) Products: python-keystoneclient Affects: All versions Description: Jake Dahn from Nebula reported a vulnerability that the keystone client only allows passwords to be updated in a clear text command-line argument, which may enable other local users to obtain sensitive information by listing the process and potentially leaves a record of the password within the shell command history. Fix: https://review.openstack.org/28702 Notes: A fix has already been merged to the python-keystoneclient master branch on 2013-05-21 (commit f2e0818) which adds an interactive password prompt, and will appear in the next release of python-keystoneclient. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013 https://bugs.launchpad.net/python-keystoneclient/+bug/938315 -- Jeremy Stanley (fungi) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQJ8BAEBCgBmBQJRnoF7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5N0FFNDk2RkMwMkRFQzlGQzM1M0IyRTc0 OEY5OTYxMTQzNDk1ODI5AAoJEEj5lhFDSVgp0egP/1ulEpWpQ+PGB3wnu3mFHJqU yx9hV1vgQok7+bo9IpYJg5fKbiG+xfK5F3DOAaeuLFH5qidLPTPeSLozRtJAyMfa lU7uuNA5e1oVDWDjEKaeeoC05cj9gaCx6GF1cdX6HIbMWVtZhBOiBZWEGU3l0lKV 9dpb0RbJ0xNa7m5NN7N7D7Qg42QGglTalolTAyzOyR7/EnM+iQNKlxIIdhKm3Lrb 512NnEsPpn2gB3zDU/IKxE6Pvy65dbBDzEos9anE4H7BuSm3QyP4RwWk21QPp+H8 BQenDw3gahj3YBw14e5qaZgG5V4wdRkru7OOrIuzfPDcsydSD/9xGKmEs6MXXtBh rCpQ9iUApd1QBtrFWfnmsGrr6H3gGfHzFvBCOg2oWX4t1/cbP01EMTPswO0lpL4B HobIqng1eg0rKUIfLc4TQRpNBungfatjsBt5lb4ee2ywE3ABOQ47drN/fhVopKT7 6OojreEuOdaY0t3u68jwTYafdyqzlvUEirewJE4BYVuDl8ML9UyLhwQOrhUxhk+l q6aZ6oyMHlL6HLmQoukFzWt5J922QnxYJNq8izfDKHTte5BAyIdOHoV/nMgkyXTN nOt+tO+lByflI+Jy0K4ppWaaCuBCakWW8GTa7QLi6drxGIjA+vtIROLYsIk1rIDS byjR9eRNCwVNvv94gXZi =eJME -----END PGP SIGNATURE----- _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack () lists launchpad net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
-- -- @lloyddewolf http://www.pistoncloud.com/
Current thread:
- [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Jeremy Stanley (May 23)
- Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Lloyd Dewolf (Jun 03)
- Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Jeremy Stanley (Jun 03)
- Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Lloyd Dewolf (Jun 03)
- Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Jeremy Stanley (Jun 03)
- Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Robert Collins (Jun 03)
- Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Jeremy Stanley (Jun 03)
- Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Lloyd Dewolf (Jun 03)