Bug 1024401 (CVE-2013-4477)
| Summary: | CVE-2013-4477 openstack-keystone: unintentional role granting with Keystone LDAP backend | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | unspecified | CC: | aortega, apevec, apevec, ayoung, bfilippov, breu, chrisw, dallan, d.busby, gkotton, gmollett, iheim, itamar, Jan.van.Eldik, jonathansteffan, jose.castro.leon, lhh, markmc, p, rbryant, rhos-maint, sclewis, yeylon | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2014-03-28 00:59:31 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | 1024441, 1024442, 1024443, 1024446, 1024447 | ||||||||||
| Bug Blocks: | 1024402 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Vincent Danen
2013-10-29 15:17:35 UTC
The Grizzly fix is here: https://github.com/openstack/keystone/commit/82dcde08f60c45002955875664a3cf82d1d211bc The Havana fix is here: https://github.com/openstack/keystone/commit/4221b6020e6b0b42325d8904d7b8a22577a6acc0 The upstream bug report contains fairly detailed reproduction instructions as well. Note that this requires administrator privileges. Upstream fix information: Reviewed: https://review.openstack.org/53010 Committed: http://github.com/openstack/keystone/commit/b17e7bec768bd53d3977352486378698a3db3cfa Submitter: Jenkins Branch: master commit b17e7bec768bd53d3977352486378698a3db3cfa Author: Brant Knudson <bknudson.com> Date: Mon Oct 21 15:21:12 2013 -0500 Enhance tests for deleting a role not assigned There wasn't a test that showed what happens when a role is deleted that was never assigned. Change-Id: I2845e3f03dc8e8f1dd41d8f41d2f6669004bc506 Related-bug: #1242855 Reviewed: https://review.openstack.org/53012 Committed: http://github.com/openstack/keystone/commit/c6800ca1ac984c879e75826df6694d6199444ea0 Submitter: Jenkins Branch: master commit c6800ca1ac984c879e75826df6694d6199444ea0 Author: Brant Knudson <bknudson.com> Date: Mon Oct 21 15:31:23 2013 -0500 Fix remove role assignment adds role using LDAP assignment When using the LDAP assignment backend, attempting to remove a role assignment when the role hadn't been used before would actually add the role assignment and would not return a 404 Not Found like the SQL backend. This change makes it so that when attempt to remove a role that wasn't assigned then 404 Not Found is returned. Closes-Bug: #1242855 Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3 Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 1024441] Affects: epel-6 [bug 1024442] Created attachment 817139 [details]
CVE-2013-4477-grizzly.patch
Created attachment 817140 [details]
CVE-2013-4477-havana.patch
Created attachment 817141 [details]
CVE-2013-4477-icehouse.patch
openstack-keystone-2013.1.4-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. openstack-keystone-2013.2.1-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0113 https://rhn.redhat.com/errata/RHSA-2014-0113.html |