Sicherheit: Zwei Probleme in OpenStack

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============4213307914918824059==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="------------enig5485BF7B8A0D09538DD7DCBE"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5485BF7B8A0D09538DD7DCBE
Content-Type: text/plain; charset=ISO-8859-
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1875-1
June 14, 2013

keystone vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10

Summary:

Keystone did not always properly verify expired PKI tokens or properly
authenticate users.

Software Description:
- keystone: OpenStack identity service

Details:

Eoghan Glynn and Alex Meade discovered that Keystone did not properly
perform expiry checks for the PKI tokens used in Keystone. If Keystone were
setup to use PKI tokens, a previously authenticated user could continue to
use a PKI token for longer than intended. This issue only affected Ubuntu
12.10 which does not use PKI tokens by default. (CVE-2013-2104)

Jose Castro Leon discovered that Keystone did not properly authenticate
users when using the LDAP backend. An attacker could obtain valid tokens
and impersonate other users by supplying an empty password. By default,
Ubuntu does not use the LDAP backend. (CVE-2013-2157)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-keystone 1:2013.1.1-0ubuntu2.1

Ubuntu 12.10:
python-keystone 2012.2.4-0ubuntu3.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1875-1
CVE-2013-2104, CVE-2013-2157

Package Information:
https://launchpad.net/ubuntu/+source/keystone/1:2013.1.1-0ubuntu2.1
https://launchpad.net/ubuntu/+source/keystone/2012.2.4-0ubuntu3.1

--------------enig5485BF7B8A0D09538DD7DCBE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRuoTmAAoJEFHb3FjMVZVzVUQP/RK+6lCvLDmos8ys82UIg6EW
763Nbdr6NrzoG8+ZWZoyTrPQ0IbP/bLBiNPJNIMRT39SqdzqC9tCLY8QlarcHbfM
57UQ6AM0YxqgDf2RsrJEA4tpv7ofxG8JOlHA6n6pbXX0pwRLrBv+A+TlFPGqB7Rh
v53z3Pyf+EKRHrDyLm/eN7Yi+IBRuOYmyHFUCeYbOc1vVKQqy3G937iPX4QKfZBL
q5ogsdDHk9YeKjPZpOGiBvLi0Nayd2avMw+XDYh/3IPcCmQGkpIxNc01ut3o67sM
1rhLIkvR8EWEtkhCeTFKOAqD75D+VfmikUzsYLs3Wn2sK5ujbCMkC+nmPU4KlupE
t581sLSHqcdcRP2xXq7qmAyFVnzMk8Eu9/2QYlwMk2JSNOXbfEMsaLDLJngfrp7g
rTvORTh4/ETZOL1QwydDTdigg75HpviJqqflajUuP4I6tRFS0hlBN/xtNWl3IRhT
wT7mDWfD1V/tKb5mpakM4RjTWk88OW+EBmYAqvP5ixp6FPp7mWiIyX6JHT5vGoFw
pwtUVCwaqC2foo4zThvRCiiw63q51mzdys+R16kwk+UDxRYuiW4lub1X9e0XF+aM
jHOCwUI7LY35/Qb0iBINWKFUmOU5kAxJAob7In+PNrqnZASC4T9RQjNTu0UpSfK2
5P9RrJCvuQGy8Bx9Nuph
=8010
-----END PGP SIGNATURE-----

--------------enig5485BF7B8A0D09538DD7DCBE--

--===============4213307914918824059==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============4213307914918824059==--