Date: Thu, 23 May 2013 20:52:12 +0000 From: Jeremy Stanley <jeremy@...nstack.org> To: openstack@...ts.launchpad.net, oss-security@...ts.openwall.com Subject: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) OpenStack Security Advisory: 2013-013 CVE: CVE-2013-2013 Date: May 23, 2013 Title: Keystone client local information disclosure Reporter: Jake Dahn (Nebula) Products: python-keystoneclient Affects: All versions Description: Jake Dahn from Nebula reported a vulnerability that the keystone client only allows passwords to be updated in a clear text command-line argument, which may enable other local users to obtain sensitive information by listing the process and potentially leaves a record of the password within the shell command history. Fix: https://review.openstack.org/28702 Notes: A fix has already been merged to the python-keystoneclient master branch on 2013-05-21 (commit f2e0818) which adds an interactive password prompt, and will appear in the next release of python-keystoneclient. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013 https://bugs.launchpad.net/python-keystoneclient/+bug/938315 -- Jeremy Stanley (fungi) OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (967 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.