The OpenStack project reports: "" Title: Keystone user and group id mismatch Reporter: Michael Stancampiano (IBM) Products: Keystone Versions: 2014.1 Description: Michael Stancampiano from IBM reported a vulnerability in Keystone. Someone with write access to the user and group repository (such as the LDAP directory server) may willingly or unwillingly grant additional rights by picking the same IDs for users and groups, resulting in roles assigned to a group being assigned to the affected user even if he is not a member of this group. Only Keystone setups using LDAP for the Identity driver are affected. "" Acknowledgements: Red Hat would like to thank the Openstack project for reporting this issue. Upstream acknowledges Michael Stancampiano of IBM as the original reporter.
This went public today http://lists.openstack.org/pipermail/openstack-announce/2014-May/000231.html Please create Fedora clone.
Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 1101008]
Note that there is a regression in the original patches: https://review.openstack.org/94397
Statement: Not vulnerable. This issue did not affect the versions of openstack-keystone as shipped with Red Hat Enterprise Linux OpenStack Platform 3 and 4.