| Summary: | <dev-python/python-keystoneclient-0.7.1: Potential context confusion in Keystone middleware (OSSA 2014-007) (CVE-2014-0105) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2014/03/27/4 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
mostly fixed, no fix provided for python-keystoneclient>=0.2.1,<0.3 made a note in the upstream bug that we need that patch 0.2.5 remains vulnerable removed the old and jankey, no vulerable versions remain in tree. Maintainer(s), Thank you for cleanup! No GLSA needed as there are no stable versions. |
From ${URL} : penStack Security Advisory: 2014-007 CVE: CVE-2014-0105 Date: March 27, 2014 Title: Potential context confusion in Keystone middleware Reporter: Kieran Spear (University of Melbourne) Products: python-keystoneclient Versions: All versions up to 0.6.0 Description: Kieran Spear from the University of Melbourne reported a vulnerability in Keystone auth_token middleware (shipped in python-keystoneclient). By doing repeated requests, with sufficient load on the target system, an authenticated user may in certain situations assume another authenticated user's complete identity and multi-tenant authorizations, potentially resulting in a privilege escalation. Note that it is related to a bad interaction between eventlet and python-memcached that should be avoided if the calling process already monkey-patches "thread" to use eventlet. Only keystone middleware setups using auth_token with memcache are vulnerable. python-keystoneclient fix (included in 0.7.0 release): https://review.openstack.org/81078 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0105 https://bugs.launchpad.net/bugs/1282865 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.