| Summary: | <sys-cluster/nova-{2013.1.2,2012.2.5}, <dev-python/python-keystoneclient-0.2.4: uses insecure keystone middleware tmpdir by default (CVE-2013-2030) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | prometheanfire |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2013/05/09/2 | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Patch for "folsom" version 2012.2.5 available at [1]. Fixed in 2013 "grizzly" branch since 2013.1.2. Live ebuild is unaffected, of course. Note that python-keystoneclient is also affected by this, but 0.2.4 is the only version in tree and it has the fix. [1] https://review.openstack.org/#/c/28570/ I'm already patching it in gentoo-x86/sys-cluster/nova/nova-2012.2.4-r3.ebuild I'll package 2012.2.5, but you reference 2012.2.5-r1, where is that? keystoneclient should be fixed though can you confirm that nova still needs the fix? Err, sorry, my bad, was thinking of 2012.2.5 and "add a patch to fix" and came up with 2012.2.5-r1 :) As best I can tell, yes, nova does need the fix, and there are no packaged releases for the 2012 branch with the fix, but the 2013 branch does have the fix applied. Well, the patch was already applied in 2012.2.4-r3. Nothing vulnerable in tree, no GLSA, closing. CVE-2013-2030 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2030): keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora. |
From ${URL} : OpenStack Security Advisory: 2013-010 CVE: CVE-2013-2030 Date: May 9, 2013 Title: Nova uses insecure keystone middleware tmpdir by default Reporter: Grant Murphy (Red Hat), Anton Lundin Products: Nova Affects: Folsom, Grizzly Description: Grant Murphy from Red Hat and Anton Lundin both independently reported a vulnerability in Nova's default location for the Keystone middleware signing directory (signing_dir). By previously setting up a malicious directory structure, an attacker with local shell access on the Nova node could potentially issue forged tokens that would be accepted by the middleware. Only setups that use the default value for signing_dir are affected. Note that future versions of the Keystone middleware will issue a warning if an insecure signing directory is used. Havana (development branch) fix: https://review.openstack.org/#/c/28568/ Grizzly fix: https://review.openstack.org/#/c/28569/ Folsom fix: https://review.openstack.org/#/c/28570/ References: https://bugs.launchpad.net/nova/+bug/1174608 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2030 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not