Wednesday, March 20, 2013

[USN-1772-1] OpenStack Keystone vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRSiInAAoJEFHb3FjMVZVzvBwQALKc+DXZluCCS9bWdfhDploX
VnZqUvWZJgh5UOZf+DgEdtfbXAk2UXhsSIrbnJu3yMqC7HQHsJdVCqm4/V4aeBG5
nebc11Arvc565BepMfTbRgrvO6OlmvtxblQlSa6sRZtHnCjOb/9valQ48pzQ2ZfT
QOh7L5OrVkob0BRg7+JK2OBK2vQDvoVyjzxcya/mRimOcMfD01Wd3rpbVI++ckQw
abf7/pPRaOUBTROsIvNcaUjHyLIMjEQWfePjIZNsr7BZeBxLAUDDBqZEIUUFSV+X
j5rMo2LAi5oRFKE3ePgw8Q61Ioe/JB7mzSSzKloegkmi562ZBMD8eTF//nL+IQqV
WNhdtDY12f8Cz389wRODALTkZYTM071fJ+70y0NGwspg/yALXTNs7iwGQZjApjVR
5WIHilmHZthsBPURwthP403ZGLRTA98LNnQLrq2qLYS7IROmlw8AN+YvFL/Znhll
5GrsfkjhzXiIXGSO6kRHTv0JBvGYtpvB09chp5TiqoKczm/Kvq+Dd2DP9PKTlgt0
+irdHyL3gNa5fUdw1aQUXCrvhWWLUy0kwhwlMRkUsKvykMSyYO6wmFBzERfOQDz4
0UcuKMA0vnZjrANO4mySjLiiPtBxDdvTYDz9zJVduDhJZJyvHx2UMqaRdpgy58eM
MOo28oWOn7KK0icoaDt8
=gLnf
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1772-1
March 20, 2013

keystone vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

Under certain configurations, Keystone would allow unintended access over
the network.

Software Description:
- keystone: OpenStack identity service

Details:

Guang Yee discovered that Keystone would not always perform all
verification checks when configured to use PKI. If the keystone server was
configured to use PKI and services or users requested online verification,
an attacker could potentially exploit this to bypass revocation checks.
Keystone uses UUID tokens by default in Ubuntu.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
python-keystone 2012.2.1-0ubuntu1.3

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1772-1
CVE-2013-1865

Package Information:
https://launchpad.net/ubuntu/+source/keystone/2012.2.1-0ubuntu1.3

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)