|
Message-ID: <51C1D0E1.9000704@openstack.org> Date: Wed, 19 Jun 2013 17:40:17 +0200 From: Thierry Carrez <thierry@...nstack.org> To: Open Source Security <oss-security@...ts.openwall.com> Subject: [OSSA 2013-017] Issues in Keystone middleware memcache signing/encryption feature (CVE-2013-2166, CVE-2013-2167) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-017 CVE: CVE-2013-2166, CVE-2013-2167 Date: June 19, 2013 Title: Issues in Keystone middleware memcache signing/encryption feature Reporter: Paul McMillan (Nebula) Products: python-keystoneclient Affects: version 0.2.3 to 0.2.5 Description: Paul McMillan from Nebula reported multiple issues in the implementation of memcache signing/encryption feature in Keystone client middleware. An attacker with direct write access to the memcache backend (or in a man-in-the-middle position) could insert malicious data and potentially bypass the encryption (CVE-2013-2166) or signing (CVE-2013-2167) security strategy that was specified. Only setups that make use of memcache caching in the Keystone middleware (specify memcache_servers) and using ENCRYPT or MAC as their memcache_security_strategy are affected. python-keystoneclient fix (will be included in upcoming 0.2.6 release): https://review.openstack.org/#/c/33661 References: https://bugs.launchpad.net/python-keystoneclient/+bug/1175367 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2166 https://bugs.launchpad.net/python-keystoneclient/+bug/1175368 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2167 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRwdDhAAoJEFB6+JAlsQQjfwYP/i3is9VMQXQAo9PvjsNnLkEU MuvvDhxqu9bmqUFrXwbMfLUy8AM5QGPvWetge5Y7xDci6j4a5vNgw4XmzuP1xKvs 1GZ44pVO+GaqRwb5cuPXo3bcdGcRTVboZSdDTVDb4MIZ8i6sQil6BG+XUQgaPHQb 4MMDbLqFJCQjKSEO6hDFyXwDTb4BwGh+UtjiX4itChplg9Ac4YvVjz0Wpb9oH0L0 CcFoSBw+zmSGkQFM0+jtb0P3lwpRwcVlcsxmh+veInXToaAD38lIjZ9qecIdsz5J XdFZXnRd1pvWZUPa9IcmVG8uBfTsY6T59eygCX82RvrRwSf7+uV+medxycRscMlL TFLktHVsAk+jsx8xBHPi3MZxobkCTql/CnXOpvAV/7+xWVIeoS9K30z1qyNEyKc5 4t0m9Zn1VtT5ohGvdomc0E0inJfz28DXZ/7wfVneOeK0kPGsn6SzQ4UWRcbo7XH7 PSjBeFBZ1C3MhRfrMiiOwtwhuoUctDqEZM2Jfb2LA4YZDXJ5P48v/3hzhtnIW76t 9vVTGf7RR+oG/wmyf/0CKRF3HouIFv+uNbxrjxFKi8jGc2d+aCg3a1d3nekYSCt+ qecqdiJEm3xlCLuhBxYoWWj3eCQIqAS24RRJzy9gr+AfeDcNtEUBTkFN7LOGu62O uI+3q+8vLH/GuhV7gPnS =a3MM -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.