j-ago reports: A security flaw was found in the way Openstack Keystone (previously) performed management of LDAP password and admin_token Keystone daemon configuration file values. A local attacker could use this flaw to obtain sensitive information. Relevant upstream patch (Gerrit form): [3] https://review.openstack.org/#/c/26826/ External references: https://bugs.launchpad.net/ossn/+bug/1168252 http://openwall.com/lists/oss-security/2013/04/24/1
Further CVE-2013-1977 vs CVE-2013-2006 ids disambiguation: https://bugs.launchpad.net/devstack/+bug/1168252/comments/7
Thierry Carrez via OSS security: "This is tracked at https://bugs.launchpad.net/keystone/+bug/1172195 Note that it only affects DEBUG level logs."
Created openstack-keystone tracking bugs for this issue Affects: fedora-all [bug 956849]
Created openstack-keystone tracking bugs for this issue Affects: epel-6 [bug 956850]
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0806 https://rhn.redhat.com/errata/RHSA-2013-0806.html
openstack-keystone-2012.2.4-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
openstack-keystone-2013.1.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
openstack-keystone-2012.2.4-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.