Date: Thu, 9 May 2013 16:02:24 +0000 From: "Miller, Mark M (EB SW Cloud - R&D - Corvallis)" <mark.m.miller@...com> To: Thierry Carrez <thierry@...nstack.org>, "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "openstack-announce@...ts.openstack.org" <openstack-announce@...ts.openstack.org> Subject: RE: [Openstack] [OSSA 2013-011] Keystone tokens not immediately invalidated when user is deleted (CVE-2013-2059) General question: Looks like a fix has been written for Grizzly. Is there an official Grizzly patch release coming out that contains this and other fixes? Regards, Mark Miller -----Original Message----- From: Openstack [mailto:openstack-bounces+mark.m.miller=hp.com@...ts.launchpad.net] On Behalf Of Thierry Carrez Sent: Thursday, May 09, 2013 8:48 AM To: openstack@...ts.launchpad.net; oss-security@...ts.openwall.com; openstack-announce@...ts.openstack.org Subject: [Openstack] [OSSA 2013-011] Keystone tokens not immediately invalidated when user is deleted (CVE-2013-2059) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-011 CVE: CVE-2013-2059 Date: May 9, 2013 Title: Keystone tokens not immediately invalidated when user is deleted Reporter: Sam Stoelinga Products: Keystone Affects: All versions Description: Sam Stoelinga reported a vulnerability in Keystone. When users are deleted through Keystone v2 API, existing tokens for those users are not immediately invalidated and remain valid for the duration of the token's life (by default, up to 24 hours). This may result in users retaining access when the administrator of the system thought them disabled. You can workaround this issue by disabling a user before deleting it: in that case the tokens belonging to the disabled user are immediately invalidated. Keystone setups using the v3 API call to delete users are unaffected. Havana (development branch) fix: https://review.openstack.org/#/c/28677/ Grizzly fix: https://review.openstack.org/#/c/28678/ Folsom fix: https://review.openstack.org/#/c/28679/ References: https://bugs.launchpad.net/keystone/+bug/1166670 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2059 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRi8UUAAoJEFB6+JAlsQQjarMQAL64x2OlW3SbgOoCUDhi91lv JdBStMO6/6H1Njjv0cLEAOE/50rAJSFLsdLlzSkXHimD9NWnXogpbaKj+gWd/Jbm xDOgVtRDa8IgmaXVgA88tAO0/C6QHTQMBwBce8hVzMRRDZZ6zW7SAvofTBjdjmEj tC8nwhxF/QAx/lHwIyWHQsGCip+z9JQxT+UCQ5ytQQbSnYI/wmRWMHCCcst7XFqn H6Y9LQ8cLQAOZk0fHZx7wsFFVJ9XIiQcZxYSGPDn5/aRXlbbF6cWTy4UPB3jmMkp wJ7XSjpXzPLsTCimXwYT9CkhUYjvC7Y9Yu2XF3VycFL+bifobIfPQ2ABNBqkd/U1 2iIMq8rCTIG+GEhgBMHyrBdXJclsdzY/mFOHZhOdCsLH2pO6EPCUjO3Zs6BPtYfk zBNPRzrUXAnay+xjJhjQqxCOuskx/gxt2kOF00G1c/jZTytqzx7M4yf5GL9DYD6g LLUZpb+Ia5voocBpK2484fXlouVoQY+encQopnSZb5GarsMgO1hRK8qtExeeR3+o NPxeat15YaSvVaCgSL2msqnjIr6g3wXI1vLGdvmGny4hvNnLd+UeeQ9eT0Nc7LN9 aotaXRhDeYz71aFd8ZCYpUtoZ6I50/XnRT9+FrQ2QZ7cEKSVZjUv+mcEn0mCvZpC hqKVwOK6strcPXDlQwZr =e4jK -----END PGP SIGNATURE----- _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@...ts.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.