Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1095981 - (CVE-2014-0204) CVE-2014-0204 openstack-keystone: user and group id mismatch
CVE-2014-0204 openstack-keystone: user and group id mismatch
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140521,repor...
: Security
Depends On: 1112079 1101008
Blocks: 1095984
  Show dependency treegraph
 
Reported: 2014-05-08 22:38 EDT by Murray McAllister
Modified: 2016-04-26 13:48 EDT (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-23 02:40:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Murray McAllister 2014-05-08 22:38:27 EDT 
The OpenStack project reports:

""
Title: Keystone user and group id mismatch
Reporter: Michael Stancampiano (IBM)
Products: Keystone
Versions: 2014.1

Description:
Michael Stancampiano from IBM reported a vulnerability in Keystone.
Someone with write access to the user and group repository (such as the
LDAP directory server) may willingly or unwillingly grant additional
rights by picking the same IDs for users and groups, resulting in roles
assigned to a group being assigned to the affected user even if he is
not a member of this group. Only Keystone setups using LDAP for the
Identity driver are affected.
""

Acknowledgements:

Red Hat would like to thank the Openstack project for reporting this issue. Upstream acknowledges Michael Stancampiano of IBM as the original reporter.
Comment 4 Alan Pevec 2014-05-21 18:06:43 EDT 
This went public today http://lists.openstack.org/pipermail/openstack-announce/2014-May/000231.html

Please create Fedora clone.
Comment 6 Murray McAllister 2014-05-25 08:18:48 EDT 
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1101008]
Comment 7 Murray McAllister 2014-05-25 08:19:27 EDT 
Note that there is a regression in the original patches: https://review.openstack.org/94397
Comment 9 Garth Mollett 2014-05-28 02:57:34 EDT 
Statement:

Not vulnerable. This issue did not affect the versions of openstack-keystone as shipped with Red Hat Enterprise Linux OpenStack Platform 3 and 4.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.