Bug 1085933 - Replace python-oauth2 with oauthlib
Summary: Replace python-oauth2 with oauthlib
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: z4
: 4.0
Assignee: Alan Pevec
QA Contact: Udi Kalifon
URL:
Whiteboard:
Depends On: 1085944
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-09 16:41 UTC by Nathan Kinder
Modified: 2022-07-09 06:39 UTC (History)
5 users (show)

Fixed In Version: openstack-keystone-2013.2.3-3.el6ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-29 20:34:26 UTC
Target Upstream Version:
Embargoed:
nkinder: internal-review+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1240382 0 None None None Never
OpenStack gerrit 70750 0 None None None Never
Red Hat Issue Tracker OSP-16429 0 None None None 2022-07-09 06:39:19 UTC
Red Hat Product Errata RHSA-2014:0580 0 normal SHIPPED_LIVE Moderate: openstack-keystone security and bug fix update 2014-05-30 00:26:45 UTC

Description Nathan Kinder 2014-04-09 16:41:48 UTC 
Keystone in RHEL OSP 4.0 uses python-oauth2, which is unmaintained and has security issues (CVE-2013-4346 and CVE-2013-4347).  Upstream has switched to using oauthlib instead as of Icehouse.  We should backport the changes for this and drop the python-oauth2 package.
Comment 1 Nathan Kinder 2014-04-09 16:45:21 UTC 
Backport request for stable/havana (denied upstream): 

  https://review.openstack.org/#/c/70750/

Review/commit for Icehouse:

  https://review.openstack.org/64427
  https://git.openstack.org/cgit/openstack/keystone/commit/?id=bed88a2e724f5f23a1c839b7872b1bc56f059df5
Comment 6 Udi Kalifon 2014-04-22 14:10:56 UTC 
Verified that oauth2 is not being used anywhere in the code, and only oauthlib is imported. No use case was tested.

python-keystone-2013.2.3-3.el6ost.noarch
Comment 9 errata-xmlrpc 2014-05-29 20:34:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-0580.html
Note You need to log in before you can comment on or make changes to this bug.