Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2013-2014 CVE-2013-0247 CVE-2013-0270

Source

Debian Bug report logs - #708515
keystone: CVE-2013-2014 DoS via large POST requests

Package: keystone; Maintainer for keystone is Debian OpenStack <team+openstack@tracker.debian.org>; Source for keystone is src:keystone (PTS, buildd, popcon).

Reported by: Nico Golde <nion@debian.org>

Date: Thu, 16 May 2013 09:27:02 UTC

Severity: grave

Tags: patch, security

Fixed in version 2013.1

Done: Thomas Goirand <zigo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#708515; Package keystone. (Thu, 16 May 2013 09:27:07 GMT) (full text, mbox, link).

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>. (Thu, 16 May 2013 09:27:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: keystone
Severity: grave
Tags: security patch

Hi,
the following vulnerability was published for keystone.

CVE-2013-2014[0]:
| Concurrent requests with large POST body can crash the keystone process.
| This can be used by Malicious and lead to DOS to Cloud Service Provider.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Upstream patch: https://review.openstack.org/#/c/22661/

Seems to be fixed for experimental in 2013.1-1.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2014
    http://security-tracker.debian.org/tracker/CVE-2013-2014

-- 
Nico Golde - XMPP: nion@jabber.ccc.de - GPG: 0xA0A0AAAA

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#708515; Package keystone. (Thu, 16 May 2013 11:27:10 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>. (Thu, 16 May 2013 11:27:10 GMT) (full text, mbox, link).

Message #10 received at 708515@bugs.debian.org (full text, mbox, reply):

On 05/16/2013 05:22 PM, Nico Golde wrote:
> Package: keystone
> Severity: grave
> Tags: security patch
> 
> Hi,
> the following vulnerability was published for keystone.
> 
> CVE-2013-2014[0]:
> | Concurrent requests with large POST body can crash the keystone process.
> | This can be used by Malicious and lead to DOS to Cloud Service Provider.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> Upstream patch: https://review.openstack.org/#/c/22661/
> 
> Seems to be fixed for experimental in 2013.1-1.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2014
>     http://security-tracker.debian.org/tracker/CVE-2013-2014

Hi,

The status of the patch you are linking to is "Abandoned", so that
doesn't seem right, upstream must have another patch.

Thomas

Information forwarded to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#708515; Package keystone. (Thu, 16 May 2013 11:54:08 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>. (Thu, 16 May 2013 11:54:08 GMT) (full text, mbox, link).

Message #15 received at 708515@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 05/16/2013 05:22 PM, Nico Golde wrote:
> Package: keystone
> Severity: grave
> Tags: security patch
> 
> Hi,
> the following vulnerability was published for keystone.
> 
> CVE-2013-2014[0]:
> | Concurrent requests with large POST body can crash the keystone process.
> | This can be used by Malicious and lead to DOS to Cloud Service Provider.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> Upstream patch: https://review.openstack.org/#/c/22661/
> 
> Seems to be fixed for experimental in 2013.1-1.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2014
>     http://security-tracker.debian.org/tracker/CVE-2013-2014

FYI, the patch for Grizzly is there:
https://review.openstack.org/#/c/19567/

Though I don't think it will be trivial to backport. I have attached the
corresponding git commit from the Grizzly (eg: 2013.1.x) branch.

Indeed, 2013.1.1 isn't vulnerable (I could see the patch in the git
log). I have uploaded earlier today that version to Sid (and that was
unrelated to this issue, I was just working on it).

Cheers,

Thomas

[limit-the-size-of-http-requests.patch (text/x-diff, attachment)]

Marked as fixed in versions 2013.1. Request was from Thomas Goirand <thomas@goirand.fr> to control@bugs.debian.org. (Sat, 01 Jun 2013 07:33:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#708515; Package keystone. (Sat, 01 Jun 2013 07:39:07 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>. (Sat, 01 Jun 2013 07:39:07 GMT) (full text, mbox, link).

Message #22 received at 708515@bugs.debian.org (full text, mbox, reply):

Hi Thierry,

I was wondering if you could help me here. I'm worried about this new
bug in Debian:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708515

I tried applying the patch, though it was already applied in the Sid
version of keystone.

But also, there is this issue which I already addressed:
bugs.debian.org/cgi-bin/bugreport.cgi?bug=700240

Already CVE-2013-0247 and CVE-2013-0270 were duplicates. Is it possible
that CVE-2013-2014 is also a duplicate of the same issue?

Please let me know your thoughts, as I really would like to close this
bug. Thanks in advance,

Thomas Goirand (zigo)

Information forwarded to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#708515; Package keystone. (Mon, 03 Jun 2013 09:38:25 GMT) (full text, mbox, link).

Acknowledgement sent to Thierry Carrez <thierry@openstack.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>. (Mon, 03 Jun 2013 09:38:25 GMT) (full text, mbox, link).

Message #27 received at 708515@bugs.debian.org (full text, mbox, reply):

Thomas Goirand wrote:
> I was wondering if you could help me here. I'm worried about this new
> bug in Debian:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708515

The CVE and bug are lacking a bit of information, but it really looks
like a duplicate of Debian bug 700240 (CVE-2013-0270): large POST
requests consuming server memory/CPU. Both would be mitigated by a
request-limiting front-end (for Folsom and before) or the sizelimit
middleware (for Grizzly and after), which were suggested as workarounds
for CVE-2013-0270 already.

> Already CVE-2013-0247 and CVE-2013-0270 were duplicates. Is it possible
> that CVE-2013-2014 is also a duplicate of the same issue?

CVE-2013-0247 is not a duplicate of CVE-2013-0270.

CVE-2013-0270: Large POST consuming memory/CPU
CVE-2013-0247: Malicious POST to /tokens consuming disk space

Hope this helps,

-- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Mon, 03 Jun 2013 16:03:24 GMT) (full text, mbox, link).

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Mon, 03 Jun 2013 16:03:24 GMT) (full text, mbox, link).

Message #32 received at 708515-done@bugs.debian.org (full text, mbox, reply):

As per TTX email, and as I already thought, this bug has already been
fixed a long time ago, so I'm closing it.

Thomas

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 02 Jul 2013 07:29:29 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:16:07 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

keystone: CVE-2013-2014 DoS via large POST requests

Debian Bug report logs - #708515
keystone: CVE-2013-2014 DoS via large POST requests

Vulmon Search

About

Products

Connect

keystone: CVE-2013-2014 DoS via large POST requests

Debian Bug report logs - #708515 keystone: CVE-2013-2014 DoS via large POST requests

Vulmon Search

About

Products

Connect

Debian Bug report logs - #708515
keystone: CVE-2013-2014 DoS via large POST requests