The openstack-keystone packages provide Keystone, a Python implementation of the OpenStack identity service API, which provides Identity, Token, Catalog, and Policy services.
These updated packages have been upgraded to upstream version 2012.2.4, which provides a number of bug fixes over the previous version. (BZ#950132)
This update also fixes the following security issue:
In environments using LDAP (Lightweight Directory Access Protocol), if debug-level logging was enabled (for example, by enabling it in "/etc/keystone/keystone.conf"), the LDAP server password was logged in plain text to a world-readable log file. Debug-level logging is not enabled by default. (CVE-2013-2006)
Additionally, this update also fixes the following bugs:
If the Keystone service incurred an HTTP error as a result of a transient network error, authentication tokens were listed as invalid. With this update, the Keystone service will now retry requests a few times before failing, which masks transient network errors. (BZ#919526)
The "/var/log/keystone/" directory was world-readable. With this update, world-read permissions have been removed. (BZ#956474)
All users of openstack-keystone are advised to upgrade to these updated packages, which correct these issues. After installing the updated packages, the Keystone service (openstack-keystone) will be restarted automatically.