Red Hat Security Advisory 2013-1524-01 - The openstack-keystone packages provide Keystone, a Python implementation of the OpenStack identity service API, which provides Identity, Token, Catalog, and Policy services. It was found that tokens issued to a tenant were not invalidated when that tenant was disabled in Keystone. This could allow users assigned to a disabled tenant to retain access to resources they should no longer be able to access. These updated packages have been upgraded to upstream version 2013.1.4, which provides a number of bug fixes over the previous version.
b24f71928e7f9e525e30eb87c9d89f612ec145a89de4dc93edae2fdb4ed1e42bUbuntu Security Notice 2002-1 - Chmouel Boudjnah discovered that Keystone did not properly invalidate user tokens when a tenant was disabled which allowed an authenticated user to retain access via the token. Kieran Spear discovered that Keystone did not properly verify PKI tokens when performing revocation when using the memcache and KVS backends. An authenticated attacker could exploit this to bypass intended access restrictions. Various other issues were also addressed.
f6c7d78a98e19bff9d96af24e8f2c061c076b9f02b37bf3bb46129464f18077f
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed