Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

keystone: CVE-2012-445{6,7}

Related Vulnerabilities: CVE-2012-4456   CVE-2012-4457  

Source

Debian Bug report logs - #689210
keystone: CVE-2012-445{6,7}

version graph

Package: keystone; Maintainer for keystone is Debian OpenStack <team+openstack@tracker.debian.org>; Source for keystone is src:keystone (PTS, buildd, popcon).

Reported by: Yves-Alexis Perez <corsac@debian.org>

Date: Sun, 30 Sep 2012 12:09:01 UTC

Severity: grave

Tags: security

Fixed in version keystone/2012.1.1-9

Done: Thomas Goirand <zigo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#689210; Package keystone. (Sun, 30 Sep 2012 12:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>. (Sun, 30 Sep 2012 12:09:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: keystone: CVE-2012-445{6,7}
Date: Sun, 30 Sep 2012 14:04:52 +0200
Package: keystone
Severity: grave
Tags: security
Justification: user security hole

Hi,

two more CVEs were allocated for keystone:

CVE-2012-4456: fails to validate tokens in Admin API
CVE-2012-4457: fails to raise Unauthorized user error for disabled
tenant

Could you upload isolated fixes to unstable?

Regards,

-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Information forwarded to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#689210; Package keystone. (Sun, 30 Sep 2012 15:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>. (Sun, 30 Sep 2012 15:30:03 GMT) (full text, mbox, link).

Message #10 received at 689210@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: Yves-Alexis Perez <corsac@debian.org>, 689210@bugs.debian.org
Subject: Re: [Openstack-devel] Bug#689210: keystone: CVE-2012-445{6,7}
Date: Sun, 30 Sep 2012 23:26:35 +0800
On 09/30/2012 08:04 PM, Yves-Alexis Perez wrote:
> Package: keystone
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
>
> two more CVEs were allocated for keystone:
>
> CVE-2012-4456: fails to validate tokens in Admin API
> CVE-2012-4457: fails to raise Unauthorized user error for disabled
> tenant
>
> Could you upload isolated fixes to unstable?
>
> Regards,

Hi,

I normally receive patches when such problem happen in Openstack, though 
this time I didn't. Do you have URLs for the patches?

Thomas

Information forwarded to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#689210; Package keystone. (Sun, 30 Sep 2012 19:21:10 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>. (Sun, 30 Sep 2012 19:21:10 GMT) (full text, mbox, link).

Message #15 received at 689210@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>
To: Thomas Goirand <zigo@debian.org>
Cc: 689210@bugs.debian.org
Subject: Re: [Openstack-devel] Bug#689210: keystone: CVE-2012-445{6,7}
Date: Sun, 30 Sep 2012 21:16:59 +0200
[Message part 1 (text/plain, inline)]
On dim., 2012-09-30 at 23:26 +0800, Thomas Goirand wrote:
> On 09/30/2012 08:04 PM, Yves-Alexis Perez wrote:
> > Package: keystone
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Hi,
> >
> > two more CVEs were allocated for keystone:
> >
> > CVE-2012-4456: fails to validate tokens in Admin API
> > CVE-2012-4457: fails to raise Unauthorized user error for disabled
> > tenant
> >
> > Could you upload isolated fixes to unstable?
> >
> > Regards,
> 
> Hi,
> 
> I normally receive patches when such problem happen in Openstack, though 
> this time I didn't. Do you have URLs for the patches?
> 

It seems that redhat has some:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4456
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4457

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Mon, 01 Oct 2012 07:21:03 GMT) (full text, mbox, link).

Notification sent to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer. (Mon, 01 Oct 2012 07:21:03 GMT) (full text, mbox, link).

Message #20 received at 689210-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: 689210-close@bugs.debian.org
Subject: Bug#689210: fixed in keystone 2012.1.1-9
Date: Mon, 01 Oct 2012 07:17:58 +0000
Source: keystone
Source-Version: 2012.1.1-9

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689210@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 01 Oct 2012 05:52:23 +0000
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2012.1.1-9
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python-keystone - OpenStack identity service - library
Closes: 689210
Changes: 
 keystone (2012.1.1-9) unstable; urgency=high
 .
   * Fixes sometimes failing keystone.postrm (db_get in some conditions can
   return false), and fixed non-consistant indenting.
   * Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone
   /keystone.conf.sample for temporary storing the conf file (this was a policy
   violation, as the doc folder should never be required).
   * Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled,
   CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210).
Checksums-Sha1: 
 b4140d9930871a3b5a2a82adc4c7847d2d5bfcc6 1898 keystone_2012.1.1-9.dsc
 1bcac4345f20d3d9fc1e1923813763ec206df008 24481 keystone_2012.1.1-9.debian.tar.gz
 499ae47eda59e50d7408dc81e788eb967ef32322 92700 python-keystone_2012.1.1-9_all.deb
 8d8515f60590c12613c09df24ae18bf99782fdb9 17404 keystone_2012.1.1-9_all.deb
 c98ca4b5e8eabf342d1530437e68e852c7731ef6 239946 keystone-doc_2012.1.1-9_all.deb
Checksums-Sha256: 
 95903a9ff8db265501aabebfedc9a587c7b350acce3efe581b667edf128afdf4 1898 keystone_2012.1.1-9.dsc
 aa557112e510eeb988101cc2482a6bd1c6a148928f39a71289fe8c8992f294be 24481 keystone_2012.1.1-9.debian.tar.gz
 f84faa719b1272fff0fdf41f0b39ebffaa919f98009a8ecfc51b9cffbeaa242e 92700 python-keystone_2012.1.1-9_all.deb
 6d19e87f95c6bde2d0ec61d506f997a6dacf9170035daff0728e108546b136c5 17404 keystone_2012.1.1-9_all.deb
 a9a15a32bf2eb78c11a1b1bea54843cdae7d4b834df17a095466c3f9f025579c 239946 keystone-doc_2012.1.1-9_all.deb
Files: 
 191ed652897ebca7f16965df8a8b55da 1898 net extra keystone_2012.1.1-9.dsc
 821a494e1814a5abc5484ce38991385a 24481 net extra keystone_2012.1.1-9.debian.tar.gz
 bf7dc62526b06d9f219f1bac69a62379 92700 python extra python-keystone_2012.1.1-9_all.deb
 36c7bdaad215765a7b984f5736848acc 17404 python extra keystone_2012.1.1-9_all.deb
 81cd03f291794beb91ba735a8e798866 239946 doc extra keystone-doc_2012.1.1-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBpPakACgkQl4M9yZjvmklabQCdHcK4ZMTdbNlNcdkGwxb8oHJd
yK0AnRcNr2qjJd5hV/PQp0TNSfo/d6M3
=L30x
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 26 Nov 2012 07:25:37 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:09:50 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started