Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130523205212.GE29720@openstack.org>
Date: Thu, 23 May 2013 20:52:12 +0000
From: Jeremy Stanley <jeremy@...nstack.org>
To: openstack@...ts.launchpad.net, oss-security@...ts.openwall.com
Subject: [OSSA 2013-013] Keystone client local information disclosure
 (CVE-2013-2013)

OpenStack Security Advisory: 2013-013
CVE: CVE-2013-2013
Date: May 23, 2013
Title: Keystone client local information disclosure
Reporter: Jake Dahn (Nebula)
Products: python-keystoneclient
Affects: All versions

Description:
Jake Dahn from Nebula reported a vulnerability that the keystone
client only allows passwords to be updated in a clear text
command-line argument, which may enable other local users to obtain
sensitive information by listing the process and potentially leaves
a record of the password within the shell command history.

Fix:
https://review.openstack.org/28702

Notes:
A fix has already been merged to the python-keystoneclient master
branch on 2013-05-21 (commit f2e0818) which adds an interactive
password prompt, and will appear in the next release of
python-keystoneclient.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013
https://bugs.launchpad.net/python-keystoneclient/+bug/938315

-- 
Jeremy Stanley (fungi)
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (967 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.