Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 473304 (CVE-2013-2157) - <sys-auth/keystone-2013.1.2-r1: LDAP Authentication Security Bypass Security Issue (CVE-2013-2157)
Summary: <sys-auth/keystone-2013.1.2-r1: LDAP Authentication Security Bypass Security ...
Alias: CVE-2013-2157
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa]
Depends on:
Reported: 2013-06-14 19:48 UTC by Agostino Sarubbo
Modified: 2013-08-28 14:16 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-14 19:48:23 UTC
From ${URL} :

A security issue has been reported in OpenStack Keystone, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to an error when handling authentication via LDAP and can be exploited to authenticate as an arbitrary user by 
providing an empty password.

Successful exploitation requires the use of LDAP authentication.

The security issue is reported in versions Folsom (2012.2) and Grizzly (2013.1).

Fixed in the source code repository.
Further details available to Secunia VIM customers

Provided and/or discovered by
The vendor credits Jose Castro Leon, CERN.

Original Advisory
OSSA 2013-015:

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-14 20:56:55 UTC
I've had the patch ready since last week but I haven't been able to cvs up or add or do anything for the last two days (since it went public).

If you want, I can provide a tarball and someone else can update :(

cvs up
Connection closed by 2001:758:f00:4732:81:93:255:6
cvs [update aborted]: end of file from server (consult above messages if any)
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-14 21:58:19 UTC
fixed in tree

keystone-2012.2.4-r5.ebuild  keystone-2013.1.2-r1.ebuild
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-06-28 23:20:02 UTC
Older versions were already cleaned, so I think that there's nothing else to do here.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-29 01:36:59 UTC
agreed, I think all the needs for the bug have been met, closing.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-08-28 14:16:40 UTC
CVE-2013-2157 (
  OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using
  LDAP with Anonymous binding, allows remote attackers to bypass
  authentication via an empty password.