Debian Bug report logs -
#708515
keystone: CVE-2013-2014 DoS via large POST requests
Reported by: Nico Golde <nion@debian.org>
Date: Thu, 16 May 2013 09:27:02 UTC
Severity: grave
Tags: patch, security
Fixed in version 2013.1
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>
:
Bug#708515
; Package keystone
.
(Thu, 16 May 2013 09:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>
.
(Thu, 16 May 2013 09:27:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: keystone
Severity: grave
Tags: security patch
Hi,
the following vulnerability was published for keystone.
CVE-2013-2014[0]:
| Concurrent requests with large POST body can crash the keystone process.
| This can be used by Malicious and lead to DOS to Cloud Service Provider.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Upstream patch: https://review.openstack.org/#/c/22661/
Seems to be fixed for experimental in 2013.1-1.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2014
http://security-tracker.debian.org/tracker/CVE-2013-2014
--
Nico Golde - XMPP: nion@jabber.ccc.de - GPG: 0xA0A0AAAA
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>
:
Bug#708515
; Package keystone
.
(Thu, 16 May 2013 11:27:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <thomas@goirand.fr>
:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>
.
(Thu, 16 May 2013 11:27:10 GMT) (full text, mbox, link).
Message #10 received at 708515@bugs.debian.org (full text, mbox, reply):
On 05/16/2013 05:22 PM, Nico Golde wrote:
> Package: keystone
> Severity: grave
> Tags: security patch
>
> Hi,
> the following vulnerability was published for keystone.
>
> CVE-2013-2014[0]:
> | Concurrent requests with large POST body can crash the keystone process.
> | This can be used by Malicious and lead to DOS to Cloud Service Provider.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> Upstream patch: https://review.openstack.org/#/c/22661/
>
> Seems to be fixed for experimental in 2013.1-1.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2014
> http://security-tracker.debian.org/tracker/CVE-2013-2014
Hi,
The status of the patch you are linking to is "Abandoned", so that
doesn't seem right, upstream must have another patch.
Thomas
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>
:
Bug#708515
; Package keystone
.
(Thu, 16 May 2013 11:54:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <thomas@goirand.fr>
:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>
.
(Thu, 16 May 2013 11:54:08 GMT) (full text, mbox, link).
Message #15 received at 708515@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 05/16/2013 05:22 PM, Nico Golde wrote:
> Package: keystone
> Severity: grave
> Tags: security patch
>
> Hi,
> the following vulnerability was published for keystone.
>
> CVE-2013-2014[0]:
> | Concurrent requests with large POST body can crash the keystone process.
> | This can be used by Malicious and lead to DOS to Cloud Service Provider.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> Upstream patch: https://review.openstack.org/#/c/22661/
>
> Seems to be fixed for experimental in 2013.1-1.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2014
> http://security-tracker.debian.org/tracker/CVE-2013-2014
FYI, the patch for Grizzly is there:
https://review.openstack.org/#/c/19567/
Though I don't think it will be trivial to backport. I have attached the
corresponding git commit from the Grizzly (eg: 2013.1.x) branch.
Indeed, 2013.1.1 isn't vulnerable (I could see the patch in the git
log). I have uploaded earlier today that version to Sid (and that was
unrelated to this issue, I was just working on it).
Cheers,
Thomas
[limit-the-size-of-http-requests.patch (text/x-diff, attachment)]
Marked as fixed in versions 2013.1.
Request was from Thomas Goirand <thomas@goirand.fr>
to control@bugs.debian.org
.
(Sat, 01 Jun 2013 07:33:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>
:
Bug#708515
; Package keystone
.
(Sat, 01 Jun 2013 07:39:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>
:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>
.
(Sat, 01 Jun 2013 07:39:07 GMT) (full text, mbox, link).
Message #22 received at 708515@bugs.debian.org (full text, mbox, reply):
Hi Thierry,
I was wondering if you could help me here. I'm worried about this new
bug in Debian:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708515
I tried applying the patch, though it was already applied in the Sid
version of keystone.
But also, there is this issue which I already addressed:
bugs.debian.org/cgi-bin/bugreport.cgi?bug=700240
Already CVE-2013-0247 and CVE-2013-0270 were duplicates. Is it possible
that CVE-2013-2014 is also a duplicate of the same issue?
Please let me know your thoughts, as I really would like to close this
bug. Thanks in advance,
Thomas Goirand (zigo)
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>
:
Bug#708515
; Package keystone
.
(Mon, 03 Jun 2013 09:38:25 GMT) (full text, mbox, link).
Acknowledgement sent
to Thierry Carrez <thierry@openstack.org>
:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>
.
(Mon, 03 Jun 2013 09:38:25 GMT) (full text, mbox, link).
Message #27 received at 708515@bugs.debian.org (full text, mbox, reply):
Thomas Goirand wrote:
> I was wondering if you could help me here. I'm worried about this new
> bug in Debian:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708515
The CVE and bug are lacking a bit of information, but it really looks
like a duplicate of Debian bug 700240 (CVE-2013-0270): large POST
requests consuming server memory/CPU. Both would be mitigated by a
request-limiting front-end (for Folsom and before) or the sizelimit
middleware (for Grizzly and after), which were suggested as workarounds
for CVE-2013-0270 already.
> Already CVE-2013-0247 and CVE-2013-0270 were duplicates. Is it possible
> that CVE-2013-2014 is also a duplicate of the same issue?
CVE-2013-0247 is not a duplicate of CVE-2013-0270.
CVE-2013-0270: Large POST consuming memory/CPU
CVE-2013-0247: Malicious POST to /tokens consuming disk space
Hope this helps,
--
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
Reply sent
to Thomas Goirand <zigo@debian.org>
:
You have taken responsibility.
(Mon, 03 Jun 2013 16:03:24 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(Mon, 03 Jun 2013 16:03:24 GMT) (full text, mbox, link).
Message #32 received at 708515-done@bugs.debian.org (full text, mbox, reply):
As per TTX email, and as I already thought, this bug has already been
fixed a long time ago, so I'm closing it.
Thomas
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 02 Jul 2013 07:29:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:16:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.