| Summary: | sys-auth/keystone: multiple vulnerabilities (CVE-2013-{2013,2014,2059}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=957033 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
From https://bugzilla.redhat.com/show_bug.cgi?id=957028 : Yaguang Tang reports: concurrent requests with large POST body can crash the keystone process. this can be used by Malicious and lead to DOS to Cloud Service Provider. The OpenStack project has confirmed: Concurrent Keystone POST requests with large body messages are held in memory without filtering or rate limiting, this can lead to resource exhaustion on the Keystone server. External references: https://bugs.launchpad.net/keystone/+bug/1098177 https://bugs.launchpad.net/ossn/+bug/1155566 https://bugs.launchpad.net/python-keystoneclient/+bug/938315 the secure password prompt bug http://www.openwall.com/lists/oss-security/2013/05/09/3 : OpenStack Security Advisory: 2013-011 CVE: CVE-2013-2059 Date: May 9, 2013 Title: Keystone tokens not immediately invalidated when user is deleted Reporter: Sam Stoelinga Products: Keystone Affects: All versions Description: Sam Stoelinga reported a vulnerability in Keystone. When users are deleted through Keystone v2 API, existing tokens for those users are not immediately invalidated and remain valid for the duration of the token's life (by default, up to 24 hours). This may result in users retaining access when the administrator of the system thought them disabled. You can workaround this issue by disabling a user before deleting it: in that case the tokens belonging to the disabled user are immediately invalidated. Keystone setups using the v3 API call to delete users are unaffected. Havana (development branch) fix: https://review.openstack.org/#/c/28677/ Grizzly fix: https://review.openstack.org/#/c/28678/ Folsom fix: https://review.openstack.org/#/c/28679/ References: https://bugs.launchpad.net/keystone/+bug/1166670 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2059 fixed for all versions in tree: https://bugs.launchpad.net/keystone/+bug/1166670 Still needs fixing: https://bugs.launchpad.net/python-keystoneclient/+bug/938315 https://bugs.launchpad.net/keystone/+bug/1166670 keystoneclient fixed only upstream bug remaining is https://bugs.launchpad.net/keystone/+bug/1098177 upon further investigation the remaining upstream bug (1098177) is a duplicate of upstream bug https://bugs.launchpad.net/ossn/+bug/1155566 which was marked as fixed by releasing a security advisory to the openstack-dev mailing list. How should I handle this fix, release a GLSA? Seeing as how this was fixed can we close? I'm removing myself as I see this as closable, re-add me if you don't think so. *** Bug 482876 has been marked as a duplicate of this bug. *** |
From ${URL} : Jake Dahn reports: Updating password via CLI should be done via a secure password prompt, not text. current: keystone user-password-update --user=jake --password=foo expected: keystone user-password-update --user=jake Password: Repeat Password: OpenStack keystone places a username and password on the command line, which allows local users to obtain credentials by listing the process. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not