Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 473914 (CVE-2013-2166)

Summary: <dev-python/python-keystoneclient-0.2.6: Issue in the middleware memcache signing/encryption feature (CVE-2013-2166)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-06-20 10:52:55 UTC
From ${URL} :

OpenStack Security Advisory: 2013-017
CVE: CVE-2013-2166, CVE-2013-2167
Date: June 19, 2013
Title: Issues in Keystone middleware memcache signing/encryption feature
Reporter: Paul McMillan (Nebula)
Products: python-keystoneclient
Affects: version 0.2.3 to 0.2.5

Paul McMillan from Nebula reported multiple issues in the implementation
of memcache signing/encryption feature in Keystone client middleware. An
attacker with direct write access to the memcache backend (or in a
man-in-the-middle position) could insert malicious data and potentially
bypass the encryption (CVE-2013-2166) or signing (CVE-2013-2167)
security strategy that was specified. Only setups that make use of
memcache caching in the Keystone middleware (specify memcache_servers)
and using ENCRYPT or MAC as their memcache_security_strategy are 

python-keystoneclient fix (will be included in upcoming 0.2.6 release):


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-20 14:44:49 UTC
fixed in python-keystoneclient-0.2.4-r2
0.2.4-r1 removed from tree

No vulnerable ebuilds in tree, good to close from my perspective.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-06-30 13:18:20 UTC
Agreed. Closing.