Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

2013-06-04 Thread Thierry Carrez
Robert Collins wrote: What if we were to always do a release after a security advisory? We don't do a server stable release after each security advisory as it doesn't significantly help spreading the fix, but I agree that for client libraries (where the PyPI releases are the main form of

Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

2013-06-03 Thread Lloyd Dewolf
I appreciate that it often isn't appropriate, but in this case it might have been beneficial to include python-keystoneclient version 0.2.4 where this is first resolved. Thank you, Lloyd On Thu, May 23, 2013 at 1:52 PM, Jeremy Stanley jer...@openstack.org wrote: OpenStack Security Advisory:

Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

2013-06-03 Thread Jeremy Stanley
On 2013-06-03 10:01:03 -0700 (-0700), Lloyd Dewolf wrote: I appreciate that it often isn't appropriate, but in this case it might have been beneficial to include python-keystoneclient version 0.2.4 where this is first resolved. What's the better way to do that, do you think? Delay the

Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

2013-06-03 Thread Lloyd Dewolf
Thanks Jeremy, I agree with you. I prefer a follow up after the fact. Interestingly, the OSSA 2013-014 notice did include python-keystoneclient fix (will be included in upcoming 0.2.4 release). Thank you, Lloyd On Mon, Jun 3, 2013 at 10:37 AM, Jeremy Stanley fu...@yuggoth.org wrote: On

Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

2013-06-03 Thread Jeremy Stanley
On 2013-06-03 10:51:19 -0700 (-0700), Lloyd Dewolf wrote: [...] Interestingly, the OSSA 2013-014 notice did include python-keystoneclient fix (will be included in upcoming 0.2.4 release). I'm going to chalk that up to Thierry knowing the version number at that point, since the OSSA 2013-014

Re: [Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

2013-06-03 Thread Robert Collins
What if we were to always do a release after a security advisory? On 4 Jun 2013 06:25, Jeremy Stanley fu...@yuggoth.org wrote: On 2013-06-03 10:51:19 -0700 (-0700), Lloyd Dewolf wrote: [...] Interestingly, the OSSA 2013-014 notice did include python-keystoneclient fix (will be included in

[Openstack] [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)

2013-05-23 Thread Jeremy Stanley
OpenStack Security Advisory: 2013-013 CVE: CVE-2013-2013 Date: May 23, 2013 Title: Keystone client local information disclosure Reporter: Jake Dahn (Nebula) Products: python-keystoneclient Affects: All versions Description: Jake Dahn from Nebula reported a vulnerability that the keystone client