Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 462502 (CVE-2013-1865) - <sys-auth/keystone-2012.2.3-r2: PKI tokens online validation bypasses revocation check (CVE-2013-1865)
Summary: <sys-auth/keystone-2012.2.3-r2: PKI tokens online validation bypasses revocat...
Alias: CVE-2013-1865
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2013-03-20 15:38 UTC by Agostino Sarubbo
Modified: 2013-03-21 00:09 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-20 15:38:00 UTC
From ${URL} :

OpenStack Security Advisory: 2013-009
CVE: CVE-2013-1865
Date: March 20, 2013
Title: Keystone PKI tokens online validation bypasses revocation check
Reporter: Guang Yee (HP)
Products: Keystone
Affects: Folsom

Guang Yee from HP reported a vulnerability in the revocation check for
Keystone PKI tokens. Those tokens are supposed to be validated locally
using cryptographic checks, but the user also has the option of asking
the server to validate them. In that case, the online verification of
PKI tokens would bypass the revocation check, potentially affirming
revocated tokens are still valid. Only Folsom setups making use of
online verification of PKI tokens are affected.

Folsom fix:

Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-03-20 17:18:06 UTC
fixed in =sys-auth/keystone-2012.2.3-r2

=sys-auth/keystone-2012.2.3-r1 removed from tree, you should be good to go.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-21 00:09:21 UTC
Closing noglsa for ~arch only.