drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Zwei Probleme in OpenStack
Name: |
Zwei Probleme in OpenStack |
|
ID: |
USN-1875-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 12.10, Ubuntu 13.04 |
|
Datum: |
Fr, 14. Juni 2013, 06:18 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2157 |
|
Applikationen: |
OpenStack |
|
Originalnachricht |
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============4213307914918824059== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig5485BF7B8A0D09538DD7DCBE"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5485BF7B8A0D09538DD7DCBE Content-Type: text/plain; charset=ISO-8859- Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-1875-1 June 14, 2013
keystone vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04 - Ubuntu 12.10
Summary:
Keystone did not always properly verify expired PKI tokens or properly authenticate users.
Software Description: - keystone: OpenStack identity service
Details:
Eoghan Glynn and Alex Meade discovered that Keystone did not properly perform expiry checks for the PKI tokens used in Keystone. If Keystone were setup to use PKI tokens, a previously authenticated user could continue to use a PKI token for longer than intended. This issue only affected Ubuntu 12.10 which does not use PKI tokens by default. (CVE-2013-2104)
Jose Castro Leon discovered that Keystone did not properly authenticate users when using the LDAP backend. An attacker could obtain valid tokens and impersonate other users by supplying an empty password. By default, Ubuntu does not use the LDAP backend. (CVE-2013-2157)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 13.04: python-keystone 1:2013.1.1-0ubuntu2.1
Ubuntu 12.10: python-keystone 2012.2.4-0ubuntu3.1
In general, a standard system update will make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-1875-1 CVE-2013-2104, CVE-2013-2157
Package Information: https://launchpad.net/ubuntu/+source/keystone/1:2013.1.1-0ubuntu2.1 https://launchpad.net/ubuntu/+source/keystone/2012.2.4-0ubuntu3.1
--------------enig5485BF7B8A0D09538DD7DCBE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRuoTmAAoJEFHb3FjMVZVzVUQP/RK+6lCvLDmos8ys82UIg6EW 763Nbdr6NrzoG8+ZWZoyTrPQ0IbP/bLBiNPJNIMRT39SqdzqC9tCLY8QlarcHbfM 57UQ6AM0YxqgDf2RsrJEA4tpv7ofxG8JOlHA6n6pbXX0pwRLrBv+A+TlFPGqB7Rh v53z3Pyf+EKRHrDyLm/eN7Yi+IBRuOYmyHFUCeYbOc1vVKQqy3G937iPX4QKfZBL q5ogsdDHk9YeKjPZpOGiBvLi0Nayd2avMw+XDYh/3IPcCmQGkpIxNc01ut3o67sM 1rhLIkvR8EWEtkhCeTFKOAqD75D+VfmikUzsYLs3Wn2sK5ujbCMkC+nmPU4KlupE t581sLSHqcdcRP2xXq7qmAyFVnzMk8Eu9/2QYlwMk2JSNOXbfEMsaLDLJngfrp7g rTvORTh4/ETZOL1QwydDTdigg75HpviJqqflajUuP4I6tRFS0hlBN/xtNWl3IRhT wT7mDWfD1V/tKb5mpakM4RjTWk88OW+EBmYAqvP5ixp6FPp7mWiIyX6JHT5vGoFw pwtUVCwaqC2foo4zThvRCiiw63q51mzdys+R16kwk+UDxRYuiW4lub1X9e0XF+aM jHOCwUI7LY35/Qb0iBINWKFUmOU5kAxJAob7In+PNrqnZASC4T9RQjNTu0UpSfK2 5P9RrJCvuQGy8Bx9Nuph =8010 -----END PGP SIGNATURE-----
--------------enig5485BF7B8A0D09538DD7DCBE--
--===============4213307914918824059== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============4213307914918824059==--
|
|
|
|