Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507384 (CVE-2014-2828) - <sys-auth/keystone-2013.2.3-r1 : Keystone DoS through V3 API authentication chaining (CVE-2014-2828) (OSSA 2014-013)
Summary: <sys-auth/keystone-2013.2.3-r1 : Keystone DoS through V3 API authentication c...
Alias: CVE-2014-2828
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2014-04-11 08:01 UTC by Agostino Sarubbo
Modified: 2014-04-11 15:48 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-11 08:01:53 UTC
From ${URL} :

OpenStack Security Advisory: 2014-013
CVE: CVE-2014-2828
Date: April 10, 2014
Title: Keystone DoS through V3 API authentication chaining
Reporter: Abu Shohel Ahmed (Ericsson)
Products: Keystone
Versions: from 2013.1 to 2013.2.3

Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3
API authentication. By sending a single request with the same
authentication method multiple times, a remote attacker may generate
unwanted load on the Keystone host, potentially resulting in a Denial of
Service against a Keystone service. Only Keystone setups enabling V3 API
are affected.

Juno (development branch) fix:

Icehouse (milestone-proposed branch) fix:

Havana fix:

This fix is included in the icehouse-rc2 development milestone and will
be included in a future 2013.2.4 release.


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-04-11 15:29:14 UTC
fixed in tree, vulnerable versions removed
Comment 2 Agostino Sarubbo gentoo-dev 2014-04-11 15:48:51 UTC
Closing as noglsa