yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1240382] Re: python-oauth2 dependency is unmaintained and has security issues

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1240382@xxxxxxxxxxxxxxxxxx>
Date: Wed, 09 Apr 2014 11:37:05 -0000
Reply-to: Bug 1240382 <1240382@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As discussed on the stable-maint list[1] such change isn't appropriate for the stable branch.
Distros can carry the proposed patch[2] or drop oauth support in their Havana packages, to address security concerns with oauth2.

[1] http://lists.openstack.org/pipermail/openstack-stable-maint/2014-March/002242.html
[2] https://review.openstack.org/70750

** Also affects: keystone/havana
   Importance: Undecided
       Status: New

** Changed in: keystone/havana
       Status: New => Won't Fix

** Changed in: keystone/havana
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1240382

Title:
  python-oauth2 dependency is unmaintained and has security issues

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone havana series:
  Won't Fix

Bug description:
  oauth2 is not maintained and have 2 CVE issues CVE-2013-4346 and CVE-2013-4347 and is not Python3 compatible
  can you remove this dependency (maybe switching to requests ? )

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1240382/+subscriptions