| Summary: | <sys-auth/keystone-2012.2.3-r2: PKI tokens online validation bypasses revocation check (CVE-2013-1865) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2013/03/20/13 | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
fixed in =sys-auth/keystone-2012.2.3-r2 =sys-auth/keystone-2012.2.3-r1 removed from tree, you should be good to go. Closing noglsa for ~arch only. |
From ${URL} : OpenStack Security Advisory: 2013-009 CVE: CVE-2013-1865 Date: March 20, 2013 Title: Keystone PKI tokens online validation bypasses revocation check Reporter: Guang Yee (HP) Products: Keystone Affects: Folsom Description: Guang Yee from HP reported a vulnerability in the revocation check for Keystone PKI tokens. Those tokens are supposed to be validated locally using cryptographic checks, but the user also has the option of asking the server to validate them. In that case, the online verification of PKI tokens would bypass the revocation check, potentially affirming revocated tokens are still valid. Only Folsom setups making use of online verification of PKI tokens are affected. Folsom fix: https://review.openstack.org/#/c/24906/ References: https://bugs.launchpad.net/keystone/folsom/+bug/1129713 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1865