Summary: | sys-auth/keystone: Unintentional role granting with Keystone LDAP backend (CVE-2013-4477) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Mikle Kolyada (RETIRED) <zlogene> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2013/q4/186 | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Mikle Kolyada (RETIRED)
2013-10-29 11:45:31 UTC
fixed by upstream: https://review.openstack.org/#/c/53146/ CVE-2013-4477 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4477): The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges. fixed in tree keystone-2013.1.4-r1.ebuild: "${FILESDIR}/2013.1.4-CVE-2013-4477.patch" keystone-2013.2-r1.ebuild: "${FILESDIR}/2013.2-CVE-2013-4477.patch" |