Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484604 (CVE-2013-4294) - <sys-auth/keystone-2013.1.3-r1: Token revocation failure using Keystone memcache/KVS backends (CVE-2013-4294)
Summary: <sys-auth/keystone-2013.1.3-r1: Token revocation failure using Keystone memca...
Status: RESOLVED FIXED
Alias: CVE-2013-4294
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-11 17:46 UTC by Agostino Sarubbo
Modified: 2013-09-24 22:04 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-11 17:46:36 UTC
From ${URL} :

OpenStack Security Advisory: 2013-025
CVE: CVE-2013-4294
Date: September 11, 2013
Title: Token revocation failure using Keystone memcache/KVS backends
Reporter: Kieran Spear (University of Melbourne)
Products: Keystone
Affects: Folsom, Grizzly

Description:
Kieran Spear from the University of Melbourne reported a vulnerability
in Keystone memcache and KVS token backends. The PKI token revocation
lists stored the entire token instead of the token ID, triggering
comparison failures, ultimately resulting in revoked PKI tokens still
being considered valid. Only Folsom and Grizzly Keystone setups making
use of PKI tokens with the memcache or KVS token backends are affected.
Havana setups, setups using UUID tokens, or setups using PKI tokens with
the SQL token backend are all unaffected.

Grizzly fix:
https://review.openstack.org/#/c/46080/

Folsom fix:
https://review.openstack.org/#/c/46079/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4294
https://bugs.launchpad.net/keystone/+bug/1202952


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-09-11 17:52:50 UTC
already fixed

you can close if you want :P
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 22:04:48 UTC
CVE-2013-4294 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4294):
  The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone)
  Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI
  token revocation list with PKI tokens, which allow remote attackers to
  bypass intended access restrictions via a revoked PKI token.