SUSE-SU-2013:1067-1: Security update for python-keystoneclient

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Jun 21 14:04:15 MDT 2013 

   SUSE Security Update: Security update for python-keystoneclient
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1067-1
Rating:             low
References:         #817415 
Cross-References:   CVE-2013-2013
Affected Products:
                    SUSE Cloud 1.0
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:


   python-keystoneclient has been updated to the latest git
   version (e4ed1f3)  which fixes also a security issue:

   * CVE-2013-2013: password disclosure on command line
   was fixed, which allowed local users to find out passwords
   via ps.

   Other changes:

   *

   Update to latest git (e4ed1f3):

   o Fix scoped auth for non-admins (bug 1081192)
   *

   Update to latest git (27f0c72):

   o Don't need to lazy load resources loaded from
   API o Add support for HEAD and PATCH o Add generic
   entity.delete() o Allow serialization impl to be overridden
   o enabling i18n with Babel o updating keystoneclient doc
   theme o updating base keystoneclient documentation o
   virtualenv quite installation for zypper o Manager for
   generic CRUD on v3 o v3 Client & test utils o change
   default wrap for tokens from 78 characters to 0 o v3
   Service CRUD o v3 Endpoint CRUD o v3 Policy CRUD o v3
   Domain CRUD o v3 Role CRUD o v3 Project CRUD o v3 User CRUD
   o v3 Credential CRUD o v3 List projects for a user o Fixed
   httplib2 mocking (bug 1050091, bug 1050097) o v3
   Domain/Project role grants o Enable/disable
   services/endpoints (bug 1048662) o bootstrap a keystone
   user (e.g. admin) in one cmd o Useful error msg when
   missing catalog (bug 949904) o Added 'service_id' column to
   endpoint-list o Ensure JSON isn't read on no HTTP response
   body o use mock context managers instead of
   decorators+functions o Fixes https connections to keystone
   when no CA certificates are specified. o add a new
   HTTPClient attr for setting the original IP o Add OpenStack
   trove classifier for PyPI o Don't log an exception for an
   expected empty catalog. o Replace refs to 'Keystone API'
   with 'Identity API' o Update --os-* error messages o
   HACKING compliance: consistent usage of 'except' o Fix
   keystoneclient so swift works against Rackspace Cloud Files
   o fixes 1075376 o Warn about bypassing auth on CLI (bug
   1076225) o check creds before token/endpoint (bug 1076233)
   o Check for auth URL before password (bug 1076235) o
   removing repeat attempt at authorization in client o Make
   initial structural changes to keystoneclient in preparation
   to moving auth_token here from keystone. No functional
   change should occur from this commit (even though it did
   refresh a newer copy of openstack.common.setup.py, none of
   the newer updates are in functions called from this client)
   o Add auth-token code to keystoneclient, along with
   supporting files o Update README and CLI help o fixes
   auth_ref initialization error o Throw validation response
   into the environment
   *

   Add Provides/Obsoletes for openSUSE-12.2 package name
   (openstack-keystoneclient and python-python-keystoneclient)

   *

   Update to latest git (6c127df):

   o Fix PEP8 issues. o fixing pep8 formatting for
   1.0.1+ pep8 o Fixed httplib2 mocking (bug 1050091, bug
   1050097) o Require httplib2 version 0.7 or higher. o
   removing deprecated commandline options o Handle "503
   Service Unavailable" exception. o Fixes setup compatibility
   issue on Windows o switching options to match
   authentication paths o Add wrap option to keystone
   token-get for humans o Allow empty description for tenants.
   o pep8 1.3.1 cleanup

   Security Issue reference:

   * CVE-2013-2013
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Cloud 1.0:

      zypper in -t patch sleclo10sp2-python-keystoneclient-7868

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Cloud 1.0 (x86_64):

      python-keystoneclient-2012.1+git.1353428216.e4ed1f3-0.5.1


References:

   http://support.novell.com/security/cve/CVE-2013-2013.html
   https://bugzilla.novell.com/817415
   http://download.novell.com/patch/finder/?keywords=063a4ebcd43a01eecec673fc801eed73

More information about the sle-security-updates mailing list