Sicherheit: Mehrere Probleme in OpenStack

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1892119257904854533==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="MwYdcTuP3TyBzoZExE4VjKM8wgT8C7LT5"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--MwYdcTuP3TyBzoZExE4VjKM8wgT8C7LT5
Content-Type: multipart/mixed;
boundary="oXduZMq8A4PS1kODauHrd2Rn5qA5njgpd"

--oXduZMq8A4PS1kODauHrd2Rn5qA5njgpd
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-4480-1
September 01, 2020

keystone vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenStack Keystone.

Software Description:
- keystone: OpenStack identity service

Details:

It was discovered that OpenStack Keystone incorrectly handled EC2
credentials. An authenticated attacker with a limited scope could possibly
create EC2 credentials with escalated permissions. (CVE-2020-12689,
CVE-2020-12691)

It was discovered that OpenStack Keystone incorrectly handled the list of
roles provided with OAuth1 access tokens. An authenticated user could
possibly end up with more role assignments than intended. (CVE-2020-12690)

It was discovered that OpenStack Keystone incorrectly handled EC2 signature
TTL checks. A remote attacker could possibly use this issue to reuse
Authorization headers. (CVE-2020-12692)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
keystone 2:13.0.4-0ubuntu1
python-keystone 2:13.0.4-0ubuntu1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4480-1
CVE-2020-12689, CVE-2020-12690, CVE-2020-12691, CVE-2020-12692

Package Information:
https://launchpad.net/ubuntu/+source/keystone/2:13.0.4-0ubuntu1

--oXduZMq8A4PS1kODauHrd2Rn5qA5njgpd--

--MwYdcTuP3TyBzoZExE4VjKM8wgT8C7LT5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9OOXYACgkQZWnYVadE
vpO5ZQ//bQb8hb58+rPV6idIlYnbDJ2nw5Wz3LlvW0fscvPZ/MTe8bj22AJobivx
mTwQXllD1Cv5iX6uZ8KrruI3Y71353E4lAKtVEE+7vb7tftPcNQ/DYJ7w8L9NRxb
gdBB++hZGhglJO/iUBXYYX9mYUG9GeMkxa2sKI/hZcEXTPei1zD8XlUX6W8Wpw7f
DVb2JTRpIgJqFBrdf4RH/HeYBW2jz1suFuySoLklxSbC8Ke1BZboTQ82umKGs5Ny
vwoSLpjJ2bErC57LkRoEMfGJvN2weyxtLusqYcYL0XpPW7+17gHfFLUIYyQq4y2D
nqhFmZZuLZtWka3UaFin3O4k1jQ5SFD0Mx7e5UpZX9G8/AQqtb2RETs0AOvU022Z
t8xCiyb1XQfhROMnX5Jxfa2Sgd/2SrCuAo2GwELsy0jbt62YbPJoJtJGJxEeRLfW
R/VdVCI5G8rVNmboXGLVdC54Y4jIm5N8JuCdisN16sRlxlNDq91dc7CFKzTL9iTX
HrXzr/MT2sXYbh14xxI9EL8xrZo5jsgRTePH1jfB5YE6RsQpb88egvsLUz3CkcNU
YzHzCBBBentj9KEFNgH+7sEAnjzzYQhiU5vMnNkrdyPZDp7QGZzyYbdM9g71Ae04
PIzfZlgm6eJFr4YWHb/9zg6q+MV25jtAFoaVY4mjCaA6JupTLC4=
=NcjT
-----END PGP SIGNATURE-----

--MwYdcTuP3TyBzoZExE4VjKM8wgT8C7LT5--

--===============1892119257904854533==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============1892119257904854533==--