As discussed on the stable-maint list[1] such change isn't appropriate for the stable branch. Distros can carry the proposed patch[2] or drop oauth support in their Havana packages, to address security concerns with oauth2.
[1] http://lists.openstack.org/pipermail/openstack-stable-maint/2014-March/002242.html [2] https://review.openstack.org/70750 ** Also affects: keystone/havana Importance: Undecided Status: New ** Changed in: keystone/havana Status: New => Won't Fix ** Changed in: keystone/havana Importance: Undecided => High -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1240382 Title: python-oauth2 dependency is unmaintained and has security issues Status in OpenStack Identity (Keystone): Fix Released Status in Keystone havana series: Won't Fix Bug description: oauth2 is not maintained and have 2 CVE issues CVE-2013-4346 and CVE-2013-4347 and is not Python3 compatible can you remove this dependency (maybe switching to requests ? ) To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1240382/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
