Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <50660D91.9020104@redhat.com>
Date: Fri, 28 Sep 2012 16:50:25 -0400
From: Russell Bryant <rbryant@...hat.com>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>,
        oss-security@...ts.openwall.com
Subject: [OSSA 2012-015] Some actions in Keystone admin API do not validate
 token (CVE-2012-4456)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenStack Security Advisory: 2012-015
CVE: CVE-2012-4456
Date: September 28, 2012
Title: Some actions in Keystone admin API do not validate token
Impact: High
Reporter: Jason Xu
Products: Keystone
Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2
development milestone)

Description:
Jaxon Xu reported a vulnerability in Keystone. Two admin API actions
did not require a valid token.  The first was listing roles for a
user.  The second was the ability to get, create, and delete services.

Folom Fixes: (Included in 2012.2)
http://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb
http://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb

Essex Fixes: (Included in 2012.1.2)
http://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1
http://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4456
https://bugs.launchpad.net/keystone/+bug/1006815
https://bugs.launchpad.net/keystone/+bug/1006822

- -- 
Russell Bryant
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBmDZAACgkQFg9ft4s9SAYPhACfTBNPMETkhmP8OG4g11VgZi11
yCkAn2sc3GtVKy/m1Xq4fobHW45nyb5X
=bkKK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.