Bug 817415 - VUL-1: python-keystoneclient: CVE-2013-2013: password disclosure on command line
VUL-1: python-keystoneclient: CVE-2013-2013: password disclosure on command line
: 821328 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-04-26 15:50 UTC by Alexander Bergmann
Modified: 2013-07-05 14:32 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-04-26 15:50:46 UTC
Public via oss-security:

From: Kurt Seifried <kseifried@redhat.com>
Date: Fri, 26 Apr 2013 00:28:28 -0600
Subject: [oss-security] CVE-2013-2013 - OpenStack keystone password disclosure on command line

While auditing OpenStack bugs for flaws needing CVE's I came across
this (as of yet unfixed) one:


[root@rhos ~]# keystone user-password-update --user=jake
usage: keystone user-password-update --pass <password> <user-id>
keystone user-password-update: error: too few arguments

This class of vuln typically gets a CVE.


CVE text:

OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.

Please use CVE-2013-2013 for this issue.
Comment 1 Swamp Workflow Management 2013-04-26 22:00:28 UTC
bugbot adjusting priority
Comment 2 Vincent Untz 2013-04-30 12:13:00 UTC
Sascha, can you take care of this?

If you want to handle a quick update on 12.3, that's welcome too ;-) Otherwise, I'll just do it in 10 days.
Comment 3 Sascha Peilicke 2013-05-02 09:30:14 UTC
The corresponding upstream review is abandoned currently [0], but I'll track progress.

[0] https://review.openstack.org/#/c/12669/
Comment 4 Alexander Bergmann 2013-05-23 08:04:30 UTC
*** Bug 821328 has been marked as a duplicate of this bug. ***
Comment 5 Alexander Bergmann 2013-05-23 08:06:18 UTC
Upstream Fix:

Comment 6 Sascha Peilicke 2013-05-23 13:55:53 UTC
@vun(In reply to comment #2)
> Sascha, can you take care of this?
I backported this / added a patch, moving to the most recent keystoneclient would introduce additional dependencies to pbr and d2to1. Currently in Devel:Cloud:1.0:OpenStack. Will submit to SP2:Update once testing passed.
Comment 7 Vincent Untz 2013-06-10 09:04:21 UTC
Sascha: hrm, I guess something went wrong in Jenkins and we don't have the magic that copies this to D:C:1.0 anymore? :/
Comment 8 Sascha Peilicke 2013-06-12 03:45:01 UTC
(In reply to comment #7)
Ok, submitted to Devel:Cloud:1.0 by hand and forwarded to SUSE:SLE-11-SP2:Update:Test, sr#27124. Security's turn.
Comment 9 Swamp Workflow Management 2013-06-14 06:37:19 UTC
The SWAMPID for this issue is 52960.
This issue was rated as low.
Please submit fixed packages until 2013-07-12.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 10 Marcus Meissner 2013-06-14 06:50:33 UTC
submitted patchinfo.

sascha had incorrectly self-accepted this into SP2:Update:Test already, but
lets just do this
Comment 11 Vincent Untz 2013-06-17 03:25:34 UTC
Submitted to openSUSE:12.3 too in sr#179266.
Comment 12 Swamp Workflow Management 2013-06-21 10:45:35 UTC
Update released for: python-keystoneclient, python-keystoneclient-doc, python-keystoneclient-test
SUSE-CLOUD 1.0 (x86_64)
Comment 13 Swamp Workflow Management 2013-06-27 09:04:51 UTC
openSUSE-SU-2013:1090-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 817415
CVE References: CVE-2013-2013
Sources used:
openSUSE 12.3 (src):    python-keystoneclient-
Comment 14 Marcus Meissner 2013-07-05 14:32:42 UTC
its done