[Openstack-devel] Bug#731981: Bug#731981: keystone: CVE-2013-6391: Keystone trust circumvention through EC2-style tokens

Thomas Goirand zigo at debian.org
Thu Dec 12 01:00:51 UTC 2013


On 12/12/2013 06:11 AM, Salvatore Bonaccorso wrote:
> Package: keystone
> Version: 2013.2-4
> Severity: grave
> Tags: security upstream patch
> 
> Hi Thomas,
> 
> the following vulnerability was published for keystone.
> 
> CVE-2013-6391[0]:
> Keystone trust circumvention through EC2-style tokens
> 
> Upstream bugreport is at [1]. keystone in wheezy does not seem to be
> affected, at least I have not found the vulnerable code (and upstream
> also says it affects only (grizzly), havana and later).
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6391
>     http://security-tracker.debian.org/tracker/CVE-2013-6391
> [1] https://launchpad.net/bugs/1242597
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1039164
> 
> Regards, and thanks for your work.
> 
> Salvatore

Hi,

Keystone, as the rest of OpenStack, is going to be updated very soon,
with version 2013.2.1 being released. At this point, it makes more sense
to wait one day more to get the update from upstream including the fix,
which is what I'm planning to do. There's also some updates for Neutron,
Nova and Heat coming soon.

Cheers,

Thomas Goirand (zigo)



More information about the Openstack-devel mailing list