Bugzilla – Bug 824818
VUL-0: python-keystoneclient: CVE-2013-2166, CVE-2013-2167: bypass encryption or signing security strategy
Last modified: 2014-01-20 12:26:27 UTC
bugbot adjusting priority
is public now OpenStack Security Advisory: 2013-017 CVE: CVE-2013-2166, CVE-2013-2167 Date: June 19, 2013 Title: Issues in Keystone middleware memcache signing/encryption feature Reporter: Paul McMillan (Nebula) Products: python-keystoneclient Affects: version 0.2.3 to 0.2.5 Description: Paul McMillan from Nebula reported multiple issues in the implementation of memcache signing/encryption feature in Keystone client middleware. An attacker with direct write access to the memcache backend (or in a man-in-the-middle position) could insert malicious data and potentially bypass the encryption (CVE-2013-2166) or signing (CVE-2013-2167) security strategy that was specified. Only setups that make use of memcache caching in the Keystone middleware (specify memcache_servers) and using ENCRYPT or MAC as their memcache_security_strategy are affected. python-keystoneclient fix (will be included in upcoming 0.2.6 release): https://review.openstack.org/#/c/33661 References: https://bugs.launchpad.net/python-keystoneclient/+bug/1175367 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2166 https://bugs.launchpad.net/python-keystoneclient/+bug/1175368 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2167
I commited a backport to C:OS:Grizzly:Staging, I'll copypac to D:C:2.0:Staging once tests passed.
sr#29645
Update released for: python-keystoneclient, python-keystoneclient-doc, python-keystoneclient-test Products: SUSE-CLOUD 2.0 (x86_64)
SUSE-SU-2014:0089-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 824818,829080 CVE References: CVE-2013-2166,CVE-2013-2167,CVE-2013-2255 Sources used: SUSE Cloud 2.0 (src): python-keystoneclient-0.2.3-0.19.1