--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/keystone/patches/CVE-2015-3646.patch	Tue May 19 10:36:23 2015 -0700
@@ -0,0 +1,36 @@
+Errata patch for CVE-2015-3646
+https://review.openstack.org/173034
+git fetch https://review.openstack.org/openstack/keystone refs/changes/34/173034/2 && git checkout FETCH_HEAD
+Fixed upstream and in a future release.
+---
+From 695153a523faa9310e2e20d0333c33a47334208a Mon Sep 17 00:00:00 2001
+From: Eric Brown <[email protected]>
+Date: Mon, 13 Apr 2015 11:37:53 -0700
+Subject: [PATCH] backend_argument should be marked secret
+
+Since the backend_argument can potentially contain a password,
+it should be marked secret to avoid leakage into the logs.
+
+Closes-Bug: #1443598
+
+Change-Id: I55663db4cf2df84a66de8f64fba4b4f129ae827d
+(cherry picked from commit f9db1a65bd4d83d12c572ba4d5807845996ef410)
+---
+ keystone/common/config.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/keystone/common/config.py b/keystone/common/config.py
+index d7f9dd8..d953e49 100644
+--- a/keystone/common/config.py
++++ b/keystone/common/config.py
+@@ -313,7 +313,7 @@ FILE_OPTIONS = {
+                         'deployments.  Small workloads (single process) '
+                         'like devstack can use the dogpile.cache.memory '
+                         'backend.'),
+-        cfg.MultiStrOpt('backend_argument', default=[],
++        cfg.MultiStrOpt('backend_argument', default=[], secret=True,
+                         help='Arguments supplied to the backend module. '
+                              'Specify this option once per argument to be '
+                              'passed to the dogpile.cache backend. Example '
+-- 
+1.9.1