| Summary: | <sys-auth/keystone-2013.1.2-r1: LDAP Authentication Security Bypass Security Issue (CVE-2013-2157) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/53769/ | ||
| Whiteboard: | ~1 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
I've had the patch ready since last week but I haven't been able to cvs up or add or do anything for the last two days (since it went public). If you want, I can provide a tarball and someone else can update :( cvs up Connection closed by 2001:758:f00:4732:81:93:255:6 cvs [update aborted]: end of file from server (consult above messages if any) fixed in tree keystone-2012.2.4-r5.ebuild keystone-2013.1.2-r1.ebuild Older versions were already cleaned, so I think that there's nothing else to do here. agreed, I think all the needs for the bug have been met, closing. CVE-2013-2157 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2157): OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password. |
From ${URL} : Description A security issue has been reported in OpenStack Keystone, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to an error when handling authentication via LDAP and can be exploited to authenticate as an arbitrary user by providing an empty password. Successful exploitation requires the use of LDAP authentication. The security issue is reported in versions Folsom (2012.2) and Grizzly (2013.1). Solution Fixed in the source code repository. Further details available to Secunia VIM customers Provided and/or discovered by The vendor credits Jose Castro Leon, CERN. Original Advisory OSSA 2013-015: http://www.openwall.com/lists/oss-security/2013/06/13/3 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.