Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505976 (CVE-2014-0105) - <dev-python/python-keystoneclient-0.7.1: Potential context confusion in Keystone middleware (OSSA 2014-007) (CVE-2014-0105)
Summary: <dev-python/python-keystoneclient-0.7.1: Potential context confusion in Keyst...
Alias: CVE-2014-0105
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2014-03-27 15:46 UTC by Agostino Sarubbo
Modified: 2014-08-15 21:45 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-27 15:46:44 UTC
From ${URL} :

penStack Security Advisory: 2014-007
CVE: CVE-2014-0105
Date: March 27, 2014
Title: Potential context confusion in Keystone middleware
Reporter: Kieran Spear (University of Melbourne)
Products: python-keystoneclient
Versions: All versions up to 0.6.0

Kieran Spear from the University of Melbourne reported a vulnerability
in Keystone auth_token middleware (shipped in python-keystoneclient). By
doing repeated requests, with sufficient load on the target system, an
authenticated user may in certain situations assume another
authenticated user's complete identity and multi-tenant authorizations,
potentially resulting in a privilege escalation. Note that it is related
to a bad interaction between eventlet and python-memcached that should
be avoided if the calling process already monkey-patches "thread" to use
eventlet. Only keystone middleware setups using auth_token with memcache
are vulnerable.

python-keystoneclient fix (included in 0.7.0 release):


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-03-27 22:03:12 UTC
mostly fixed, no fix provided for python-keystoneclient>=0.2.1,<0.3

made a note in the upstream bug that we need that patch

0.2.5 remains vulnerable
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-04-06 05:51:35 UTC
removed the old and jankey, no vulerable versions remain in tree.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-04-07 04:00:15 UTC
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.