Summary: | sys-auth/keystone: Disabling a tenant does not disable a user token (CVE-2013-4222) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=995598 | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-08-10 10:19:06 UTC
Patch is currently under consideration by upstream. Can either apply it now or wait for inclusion in the next release. I am comfortable taking the patch if it's been committed to master (and preferably to the stable branches). Looks like patch was merged into upstream master. Not certain whether it's been released anywhere. I'm pretty sure that this is a bug in Havana only so does not effect us. I will let you know when I verify. ok, it is a grizzly issue. Also, upstream is 50/50 on whether or not they will backport. fix present in the following versions via non-upstream-merged patch keystone-2012.2.4-r9 keystone-2013.1.3-r3 keystone-2013.1.9999 via upstream-merged patch keystone-9999 no vulnerable stuff in tree, removing myself from cc, feel free to add me if more work is needed. noglsa. Done here. CVE changes are now in stable/grizzly, causing the patch and ebuild to fail. https://github.com/openstack/keystone/tree/stable/grizzly * Failed Patch: 2013.1.3-CVE-2013-4222.patch ! * ( /usr/portage/sys-auth/keystone/files/2013.1.3-CVE-2013-4222.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/sys-auth/keystone-2013.1.9999/temp/2013.1.3-CVE-2013-4222.patch-2868.out * ERROR: sys-auth/keystone-2013.1.9999::gentoo failed (prepare phase): * Failed Patch: 2013.1.3-CVE-2013-4222.patch! * * Call stack: * ebuild.sh, line 93: Called src_prepare * environment, line 4233: Called distutils-r1_src_prepare * environment, line 1157: Called distutils-r1_python_prepare_all * environment, line 1076: Called epatch '/usr/portage/sys-auth/keystone/files/2013.1.3-CVE-2013-4222.patch' * environment, line 1796: Called die * The specific snippet of code: * die "Failed Patch: ${patchname}!"; * * If you need support, post the output of `emerge --info '=sys-auth/keystone-2013.1.9999::gentoo'`, * the complete build log and the output of `emerge -pqv '=sys-auth/keystone-2013.1.9999::gentoo'`. * The complete build log is located at '/var/tmp/portage/sys-auth/keystone-2013.1.9999/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/sys-auth/keystone-2013.1.9999/temp/environment'. * Working directory: '/var/tmp/portage/sys-auth/keystone-2013.1.9999/work/keystone-2013.1.9999' * S: '/var/tmp/portage/sys-auth/keystone-2013.1.9999/work/keystone-2013.1.9999' qemu2 keystone # fixed CVE-2013-4222 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4222): OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token. |