openstack team mailing list archive

Thread
Date

[OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

To: openstack@xxxxxxxxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <jeremy@xxxxxxxxxxxxx>
Date: Thu, 23 May 2013 20:52:12 +0000
Resent-date: Thu, 23 May 2013 21:07:10 +0000
Resent-from: Jeremy Stanley <jeremy@xxxxxxxxxxxxx>
Resent-message-id: <20130523210710.GF29720@xxxxxxxxxxxxx>
Resent-to: openstack@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.20 (2009-06-14)

OpenStack Security Advisory: 2013-013
CVE: CVE-2013-2013
Date: May 23, 2013
Title: Keystone client local information disclosure
Reporter: Jake Dahn (Nebula)
Products: python-keystoneclient
Affects: All versions

Description:
Jake Dahn from Nebula reported a vulnerability that the keystone
client only allows passwords to be updated in a clear text
command-line argument, which may enable other local users to obtain
sensitive information by listing the process and potentially leaves
a record of the password within the shell command history.

Fix:
https://review.openstack.org/28702

Notes:
A fix has already been merged to the python-keystoneclient master
branch on 2013-05-21 (commit f2e0818) which adds an interactive
password prompt, and will appear in the next release of
python-keystoneclient.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013
https://bugs.launchpad.net/python-keystoneclient/+bug/938315

-- 
Jeremy Stanley (fungi)
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: Digital signature

Follow ups

Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)
From: Lloyd Dewolf, 2013-06-03