Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 466500 (CVE-2013-1977) - <sys-auth/keystone-{2012.2.4-r3,2013.1.1}: Insecure management of LDAP and admin_token configuration file values (CVE-2013-1977)
Summary: <sys-auth/keystone-{2012.2.4-r3,2013.1.1}: Insecure management of LDAP and ad...
Alias: CVE-2013-1977
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2013-04-19 19:34 UTC by Agostino Sarubbo
Modified: 2013-10-02 22:04 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-19 19:34:46 UTC
From ${URL} :

A security flaw was found in the way Openstack Keystone (previously) performed management of LDAP 
password and admin_token Keystone daemon configuration file values. A local attacker could use this 
flaw to obtain sensitive information.


Relevant upstream patch (Gerrit form):
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-04-19 19:54:25 UTC
Patch has not been approved yet.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-05-17 15:35:03 UTC
fix released for folsom and grizzly, offending ebuilds removed from tree.

fixed in keystone-2012.2.4-r3.ebuild and keystone-2013.1.1.ebuild
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 03:16:20 UTC
CVE-2013-1977 (
  OpenStack devstack uses world-readable permissions for keystone.conf, which
  allows local users to obtain sensitive information such as the LDAP password
  and admin_token secret by reading the file.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-02 03:55:37 UTC
We're done here.