Bug 922230 (CVE-2013-1865)
Summary: | CVE-2013-1865 OpenStack keystone: online validation of Keystone PKI tokens bypasses revocation check | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | abaron, aortega, apevec, apevec, ayoung, bfilippov, breu, chrisw, cpelland, dallan, d.busby, gkotton, Jan.van.Eldik, jlieskov, jonathansteffan, jose.castro.leon, jrusnack, kseifried, markmc, p, rbryant, rhos-maint, security-response-team, ykaul | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-04-04 20:47:30 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 922240, 923869, 928406 | ||||||
Bug Blocks: | 909025 | ||||||
Attachments: |
|
Description
Kurt Seifried
2013-03-15 19:54:53 UTC
Created attachment 710828 [details]
folsom-CVE-2013-1865.patch
This issue did NOT affect the version of the openstack-keystone package, as shipped with Fedora release of 17: https://review.openstack.org/#/c/24906/ -- This issue affects the version of the openstack-keystone package, as shipped with Fedora release of 18. Please schedule an update. -- This issue did NOT affect the version of the openstack-keystone package, as shipped with Fedora EPEL 6 (the openstack-keystone package for this product has been already updated to include the upstream change: https://launchpadlibrarian.net/131611658/validate-from-backend-grizzly-20130218.patch Created openstack-keystone tracking bugs for this issue Affects: fedora-18 [bug 923869] References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1865 http://www.openwall.com/lists/oss-security/2013/03/20/13 https://bugs.launchpad.net/keystone/+bug/1129713 https://review.openstack.org/#/c/24906/ http://www.ubuntu.com/usn/USN-1772-1 http://www.securityfocus.com/bid/58616 http://osvdb.org/91532 http://secunia.com/advisories/52657 Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Guang Yee (HP) as the original reporter. Created openstack-keystone tracking bugs for this issue Affects: epel-6 [bug 928406] This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0708 https://rhn.redhat.com/errata/RHSA-2013-0708.html openstack-keystone-2012.2.3-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |