Wednesday, October 23, 2013

[USN-2002-1] Keystone vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJSaDU/AAoJEFHb3FjMVZVzbOkQAI4cazKdDv0SOl4lgRytkY3A
ioDIzSCBDgH+iY1PhVIhQjgDUKmZ0Uexj70AgmZcUz0Zfrx6hpzYuNQ2z6FxGh+t
BLtsYF19pGyTHy20zdbqPvweW9OolXuDKGrksEixSDdRhXCOlkvsciFhIi41sViE
VpAzIy2i1YUtYaJt3dIfQEszngYb5vI230Q/cqhnl94niWGwa7zigR4xBDMEO8vR
YX0t79BQ2QKcDfj2JNCznQwwIMFqi6SrgE7za0Gi546xghvXtYpi+toP7S+0t+xA
S0C5Mn2O7ApOp8AlTj7bc9ujw6atmt3eJJShifXcaIdf2GvjA8r+FDlJjndw6O4Q
fpEpzwiIQn+Ev8dItbZCz4jIiAc92qnxi6pRIz3WlbcZA0zeafv2cm9LRRVOpEkL
Jl/x3q2MW+edZElLCIwpmobXi+4r/tWsC2i21dLklkRmLD3L7ebbuX/sNFHwZM9J
VUr1CJLuUYVRy7xZDx3mzqzUgBcEmEYO/hjDqCpydshqa1GyTI2jG5Ts2xxpYgw3
KBQF1F8NSV56fkNBZ5sBRFSBymsiKDQ6Q1caLrY8EUhltpZfk/4ulOmoKJP4lTJf
kers4NPG+7zWVKeq/Oh6Naf8xtJASZK8DgjeOo6nXz1iUwpvT2HzXK/xtsyPC1f4
/bZUdrp4EnWf08sq0zbG
=121x
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2002-1
October 23, 2013

keystone vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10

Summary:

Keystone would improperly grant access to invalid tokens under certain
circumstances.

Software Description:
- keystone: OpenStack identity service

Details:

Chmouel Boudjnah discovered that Keystone did not properly invalidate user
tokens when a tenant was disabled which allowed an authenticated user to
retain access via the token. (CVE-2013-4222)

Kieran Spear discovered that Keystone did not properly verify PKI tokens
when performing revocation when using the memcache and KVS backends. An
authenticated attacker could exploit this to bypass intended access
restrictions. (CVE-2013-4294)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-keystone 1:2013.1.3-0ubuntu1.1

Ubuntu 12.10:
python-keystone 2012.2.4-0ubuntu3.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2002-1
CVE-2013-4222, CVE-2013-4294

Package Information:
https://launchpad.net/ubuntu/+source/keystone/1:2013.1.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/keystone/2012.2.4-0ubuntu3.2

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)