openstack team mailing list archive

Thread
Date

[Security] SQL injection with Keystone + old SQLAlchemy

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Russell Bryant <rbryant@xxxxxxxxxx>
Date: Tue, 07 Feb 2012 14:44:57 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0

This message is to inform you of a security vulnerability that existed
in older versions of SQLAlchemy.  The following bug was reported against
Keystone:

    https://bugs.launchpad.net/keystone/+bug/918608

The bug pointed out a possible SQL injection issue when Keystone was
used in combination with older versions of SQLAlchemy (prior to 0.6.7 or
0.7.0).  Note that no other OpenStack projects used the parts of
SQLAlchemy affected by this issue.

A workaround was committed to Keystone for any system that might still
be using an older version of SQLAlchemy.  This patch is present in the
essex-3 milestone.


https://github.com/openstack/keystone/commit/45b36369a39e5e3cde6453312d73f85268dcd372

For reference, the SQLAlchemy issue has been assigned CVE-2012-0805.

-- 
Russell Bryant
OpenStack Vulnerability Management Team