Debian Bug report logs -
#742898
CVE-2014-0105: Potential context confusion in Keystone middleware
Reported by: Thomas Goirand <zigo@debian.org>
Date: Fri, 28 Mar 2014 18:36:02 UTC
Severity: important
Tags: security
Found in versions python-keystoneclient/1:0.6.0-2, python-keystoneclient/1:0.5.1-1
Fixed in versions python-keystoneclient/1:0.7.1-1, python-keystoneclient/1:0.6.0-4
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#742898; Package python-keystoneclient.
(Fri, 28 Mar 2014 18:36:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 28 Mar 2014 18:36:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-keystoneclient
Version: 1:0.6.0-2
Severity: important
Tags: security
Title: Potential context confusion in Keystone middleware
Reporter: Kieran Spear (University of Melbourne)
Products: python-keystoneclient
Versions: All versions up to 0.6.0
Description:
Kieran Spear from the University of Melbourne reported a vulnerability
in Keystone auth_token middleware (shipped in python-keystoneclient). By
doing repeated requests, with sufficient load on the target system, an
authenticated user may in certain situations assume another
authenticated user's complete identity and multi-tenant authorizations,
potentially resulting in a privilege escalation. Note that it is related
to a bad interaction between eventlet and python-memcached that should
be avoided if the calling process already monkey-patches "thread" to use
eventlet. Only keystone middleware setups using auth_token with memcache
are vulnerable.
Proposed patch:
See attached patch. This patch has already been merged to the master
branch of python-keystoneclient and will be included in the 0.7.0 release.
Note from the maintainer: I have the package ready, and will upload it
as soon as I have the ACK form the bug tracker.
Marked as found in versions python-keystoneclient/1:0.5.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 28 Mar 2014 18:51:08 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Sat, 29 Mar 2014 03:51:05 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Sat, 29 Mar 2014 03:51:05 GMT) (full text, mbox, link).
Message #12 received at 742898-close@bugs.debian.org (full text, mbox, reply):
Source: python-keystoneclient
Source-Version: 1:0.6.0-4
We believe that the bug you reported is fixed in the latest version of
python-keystoneclient, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742898@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-keystoneclient package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 29 Mar 2014 02:09:25 +0800
Source: python-keystoneclient
Binary: python-keystoneclient
Architecture: source all
Version: 1:0.6.0-4
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
python-keystoneclient - client library for the OpenStack Keystone API
Closes: 742898
Changes:
python-keystoneclient (1:0.6.0-4) unstable; urgency=high
.
* Uploading to unstable.
* CVE_2014_0105: Adds CVE_2014_0105_add_pooling_for_cache_references.patch,
which was backported from version 0.7.0 (Closes: #742898).
* Allow the unit tests to fail because they do in Wheezy/Havana.
Checksums-Sha1:
d545c14ca82b48183e4c0153514cfa24be3debe6 2886 python-keystoneclient_0.6.0-4.dsc
a4bc827dda261e08eae31eff04ffc1b1a45230ee 28716 python-keystoneclient_0.6.0-4.debian.tar.xz
78985672a859e72a561415e7e2b4485305144930 201068 python-keystoneclient_0.6.0-4_all.deb
Checksums-Sha256:
193767f46888e0a4012669219f488aa4bce16ad8685943b2962ef5f0a37b4100 2886 python-keystoneclient_0.6.0-4.dsc
951dd7e953cb444bf7a67da0949bfa015dc55c27f7aab28bc4698ff408492b47 28716 python-keystoneclient_0.6.0-4.debian.tar.xz
9bc8dea66a023a1531f4d6756247067c6eaa5b5d20a17da6f05ea68b75a23472 201068 python-keystoneclient_0.6.0-4_all.deb
Files:
108cd5fa457c196deac862383d9bf29d 2886 python extra python-keystoneclient_0.6.0-4.dsc
e801e6030c51319145bd230d0590f25f 28716 python extra python-keystoneclient_0.6.0-4.debian.tar.xz
9ce27bb18b79c6a489ab635aa21a1a46 201068 python extra python-keystoneclient_0.6.0-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTNkHIAAoJENQWrRWsa0P+6DIP/1D8B2IVdtnlvNA7jaWhYZ3Y
FeGLHX7+ZThkIpCd24O5T4LiHeg+M9vbeUQI1B09HGy8qvZST1o8EFxm+XukLVky
uA/kFaCtthYUPhVugjcdCVvNqJijzABC0XWpLmIK7LyGj18JoE89CMDf2H9TNvjA
e7LZjbvkV64FwrCmYZ13rZhwVunA1fMA0t3jkuM9xbdJEF3aWEZ7ManDElYGnmcC
f+xmJDIJF5YufYcx/MjsVi0WN7mwFjFweF3yHPFTyZ2DQUVrG2drV0eY6zZGa8MY
twm3RubV9i3w3l1Zwbz328NzplIUGzGWbINxpB+b6NEk8wpDyfbw55wSOZppDzMs
YfTc7WSVXlKblZvIwpsP7WFPMPK5U2Zsnce7olKro182FhWhsS4nqFVVe57qDhRi
eCEpDWZv5cBP71f/k55PZrS32gJhPgTkZSW3XKGD8qSZQrUNsaA9UlSBnLWSCvOI
GvKq/S3Qq44j7ZmbXBIfGUCm1nQ1nzjYrzb7t/ABqz2p1OFVuWksHzDK5wf173iw
/RjPtfincqSFpKEDI+UKtjk6WPB7O18FdjGo6Crq0cS+6woS9uFD1f1nwlYeaZNy
69Dw8n5F6GCiKhOGjVuTz2acz4v7iZ6U9+roZh0JpZPCPehqAwXCfVqxxkontjg8
tDmrbH8cidt/fgz0rJTN
=3Jkf
-----END PGP SIGNATURE-----
Marked as fixed in versions python-keystoneclient/1:0.7.1-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 02 Nov 2014 14:54:12 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 01 Dec 2014 08:24:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:11:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon