Rohit Karajgi discovered a vulnerability in OpenStack Keystone token handling: Token authentication for a user belonging to a disable tenant should not be allowed. External References: https://bugs.launchpad.net/keystone/+bug/988920
Created openstack-keystone tracking bugs for this issue Affects: fedora-all [bug 861182]
Created openstack-keystone tracking bugs for this issue Affects: epel-6 [bug 861183]
Created attachment 618258 [details] CVE-2012-4457-keystone-988920.patch
Official vendor advisory: https://lists.launchpad.net/openstack/msg17036.html
Above is a reply, original OSSA 2012-016 post is https://lists.launchpad.net/openstack/msg17035.html
This issue has been addressed in following products: OpenStack Essex for RHEL 6 Via RHSA-2012:1378 https://rhn.redhat.com/errata/RHSA-2012-1378.html