Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5149D4E2.1060804@openstack.org>
Date: Wed, 20 Mar 2013 16:25:22 +0100
From: Thierry Carrez <thierry@...nstack.org>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, 
 oss-security@...ts.openwall.com, openstack-announce@...ts.openstack.org
Subject: [OSSA 2013-009] Keystone PKI tokens online validation bypasses revocation
 check (CVE-2013-1865)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-009
CVE: CVE-2013-1865
Date: March 20, 2013
Title: Keystone PKI tokens online validation bypasses revocation check
Reporter: Guang Yee (HP)
Products: Keystone
Affects: Folsom

Description:
Guang Yee from HP reported a vulnerability in the revocation check for
Keystone PKI tokens. Those tokens are supposed to be validated locally
using cryptographic checks, but the user also has the option of asking
the server to validate them. In that case, the online verification of
PKI tokens would bypass the revocation check, potentially affirming
revocated tokens are still valid. Only Folsom setups making use of
online verification of PKI tokens are affected.

Folsom fix:
https://review.openstack.org/#/c/24906/

References:
https://bugs.launchpad.net/keystone/folsom/+bug/1129713
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1865

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRSdTdAAoJEFB6+JAlsQQj9sUQAL0y9zV5xWHDhAFpfaUGobq6
n5TVeEEf3kb1CIYuVhX6vHuPl2CtoekMSX7MOLehiwmbxGw3B4G7DONZrWuxmzOT
J9B9kwMew3K5lE3X4oYH3cHjkTC+ZsnlUBzNiJIXEAkBFaGLmCwbt2eCREBcKvU8
glaPKncO226Y85wMV+Sbe12qDX/82o6TydkcJglhdGF3AYI4813yGb/U41rkKUnq
zlsg4Zaea4IFUe23fc9EchRDcgR1N+yfZf04+CKRymhvOcYzSLZDNxJpYN+jwzLy
UcB3Jqak8FR0+w3k28bz41COUWtynrTy5FAoDgvGtLM2m1GedMygNKdMb1yERC9z
ELWb0P1Z6qt5zZa6BORM185PJ9Dy5zQkOOOH1I7nWjnIa9wFzvbQBKHv5WPARWDu
rdAM2I55JmGxo6qFJWK6QnpYI6o6PQjQ2s0FC/H2kCMgXPygURD/X101Y2lOFSZ7
P8OhTKoVYqZf5pImpKCbtm1GHWIpev7BkzWvsFpPhVz4ExHSTsmc1Mk2ugDGQrgO
tCcF7Eo0eABepY4qVrSUi4euZvpFsWcjl7GzQ0WLCWyMUdPo9271ZfsgxfPxId7l
CMgn2hgpGv5+yTDDg4p8NSqmUp5hSMo/i6zgDrL9XEn4qx5Rr8pNqV/vUhmYQmzV
qQqwB3DR57T1eFMlGL7y
=9dar
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.