Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in Keystone
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in Keystone
ID: USN-2002-1
Distribution: Ubuntu
Plattformen: Ubuntu 12.10, Ubuntu 13.04
Datum: Do, 24. Oktober 2013, 06:57
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4222
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4294
Applikationen: OpenStack

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============6556648888033735055==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="iTriCVqLUF6nVBpvJpWsabpxNV8aHsJ5X"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--iTriCVqLUF6nVBpvJpWsabpxNV8aHsJ5X
Content-Type: text/plain; charset=UTF-
Content-Transfer-Encoding: quoted-printable


==========================================================================
Ubuntu Security Notice USN-2002-1
October 23, 2013

keystone vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10

Summary:

Keystone would improperly grant access to invalid tokens under certain
circumstances.

Software Description:
- keystone: OpenStack identity service

Details:

Chmouel Boudjnah discovered that Keystone did not properly invalidate user
tokens when a tenant was disabled which allowed an authenticated user to
retain access via the token. (CVE-2013-4222)

Kieran Spear discovered that Keystone did not properly verify PKI tokens
when performing revocation when using the memcache and KVS backends. An
authenticated attacker could exploit this to bypass intended access
restrictions. (CVE-2013-4294)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-keystone 1:2013.1.3-0ubuntu1.1

Ubuntu 12.10:
python-keystone 2012.2.4-0ubuntu3.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2002-1
CVE-2013-4222, CVE-2013-4294

Package Information:
https://launchpad.net/ubuntu/+source/keystone/1:2013.1.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/keystone/2012.2.4-0ubuntu3.2





--iTriCVqLUF6nVBpvJpWsabpxNV8aHsJ5X
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJSaDU/AAoJEFHb3FjMVZVzbOkQAI4cazKdDv0SOl4lgRytkY3A
ioDIzSCBDgH+iY1PhVIhQjgDUKmZ0Uexj70AgmZcUz0Zfrx6hpzYuNQ2z6FxGh+t
BLtsYF19pGyTHy20zdbqPvweW9OolXuDKGrksEixSDdRhXCOlkvsciFhIi41sViE
VpAzIy2i1YUtYaJt3dIfQEszngYb5vI230Q/cqhnl94niWGwa7zigR4xBDMEO8vR
YX0t79BQ2QKcDfj2JNCznQwwIMFqi6SrgE7za0Gi546xghvXtYpi+toP7S+0t+xA
S0C5Mn2O7ApOp8AlTj7bc9ujw6atmt3eJJShifXcaIdf2GvjA8r+FDlJjndw6O4Q
fpEpzwiIQn+Ev8dItbZCz4jIiAc92qnxi6pRIz3WlbcZA0zeafv2cm9LRRVOpEkL
Jl/x3q2MW+edZElLCIwpmobXi+4r/tWsC2i21dLklkRmLD3L7ebbuX/sNFHwZM9J
VUr1CJLuUYVRy7xZDx3mzqzUgBcEmEYO/hjDqCpydshqa1GyTI2jG5Ts2xxpYgw3
KBQF1F8NSV56fkNBZ5sBRFSBymsiKDQ6Q1caLrY8EUhltpZfk/4ulOmoKJP4lTJf
kers4NPG+7zWVKeq/Oh6Naf8xtJASZK8DgjeOo6nXz1iUwpvT2HzXK/xtsyPC1f4
/bZUdrp4EnWf08sq0zbG
=121x
-----END PGP SIGNATURE-----

--iTriCVqLUF6nVBpvJpWsabpxNV8aHsJ5X--


--===============6556648888033735055==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============6556648888033735055==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung