Bugzilla – Bug 817415
VUL-1: python-keystoneclient: CVE-2013-2013: password disclosure on command line
Last modified: 2013-07-05 14:32:42 UTC
Public via oss-security:
From: Kurt Seifried <firstname.lastname@example.org>
Date: Fri, 26 Apr 2013 00:28:28 -0600
Subject: [oss-security] CVE-2013-2013 - OpenStack keystone password disclosure on command line
While auditing OpenStack bugs for flaws needing CVE's I came across
this (as of yet unfixed) one:
[root@rhos ~]# keystone user-password-update --user=jake
usage: keystone user-password-update --pass <password> <user-id>
keystone user-password-update: error: too few arguments
This class of vuln typically gets a CVE.
OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.
Please use CVE-2013-2013 for this issue.
bugbot adjusting priority
Sascha, can you take care of this?
If you want to handle a quick update on 12.3, that's welcome too ;-) Otherwise, I'll just do it in 10 days.
The corresponding upstream review is abandoned currently , but I'll track progress.
*** Bug 821328 has been marked as a duplicate of this bug. ***
@vun(In reply to comment #2)
> Sascha, can you take care of this?
I backported this / added a patch, moving to the most recent keystoneclient would introduce additional dependencies to pbr and d2to1. Currently in Devel:Cloud:1.0:OpenStack. Will submit to SP2:Update once testing passed.
Sascha: hrm, I guess something went wrong in Jenkins and we don't have the magic that copies this to D:C:1.0 anymore? :/
(In reply to comment #7)
Ok, submitted to Devel:Cloud:1.0 by hand and forwarded to SUSE:SLE-11-SP2:Update:Test, sr#27124. Security's turn.
The SWAMPID for this issue is 52960.
This issue was rated as low.
Please submit fixed packages until 2013-07-12.
When done, please reassign the bug to email@example.com.
Patchinfo will be handled by security team.
sascha had incorrectly self-accepted this into SP2:Update:Test already, but
lets just do this
Submitted to openSUSE:12.3 too in sr#179266.
Update released for: python-keystoneclient, python-keystoneclient-doc, python-keystoneclient-test
SUSE-CLOUD 1.0 (x86_64)
openSUSE-SU-2013:1090-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 817415
CVE References: CVE-2013-2013
openSUSE 12.3 (src): python-keystoneclient-0.2.1.3.gd37a3fb+git.1357543650.d37a3fb-2.8.1