[Openstack-devel] Bug#700240: keystone: CVE-2013-0270: Large HTTP request DoS

Salvatore Bonaccorso carnil at debian.org
Wed Feb 13 21:36:04 UTC 2013 

Hi Thomas

Cc'in the Security Team as they might give better input on this.

On Wed, Feb 13, 2013 at 10:14:20PM +0800, Thomas Goirand wrote:
> Hi Salvatore,
> 
> This was already fixed before you submitted the bug. See #699835.
> 
> Next time, please check the bug history, because this made me loose
> quite some time, thinking that this was a new issue.

I have done this as best to my knowledge. I was reporting
found/assigned CVE's, but mistakes can happen. E.g. in keystone
changelog it's refering to CVE-2013-0247.

There are two CVE's so far.

This is the information I have available:

 - CVE-2013-0247: (#699835): Keystone denial of service through
   invalid token requests

   Announce: https://lists.launchpad.net/openstack/msg20689.html
   Upstream patch for Essex: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff;h=7b5b72f4c1d16968435fb2e18c4f47765bd8f098
   Upstream patch for Folsom: https://github.com/openstack/keystone/commit/bb2226f944aaa38beb7fc08ce0a78796e51e2680
   Launchpad: https://bugs.launchpad.net/keystone/+bug/1098307

   AFAICS, so patch for Essex was applied to keystone/2012.1.1-12.

 - CVE-2013-0270 (#700240): OpenStack Keystone: Large HTTP request DoS

   Still valid for 2012.2.1? In [1] it is mentioned it introduces new
   features. Thus for Essex a patch based on the one for #699835
   referenced. Strictly speaking for 2012.1.1 the fix for it would
   introduce new features and thus might not be applicable.  Open is
   still the CVE for keystone in experimental, which might be fixed
   with [2].
   
   [1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0270
   [2]: https://github.com/openstack/keystone/commit/7691276b869a86c2b75631d5bede9f61e030d9d8
   [3]: https://bugs.launchpad.net/keystone/+bug/1099025

>From my understanding: (Please correct me) CVE-2013-0247 and
CVE-2013-0270 are two 'different' vulnerabilities. But the fix for
CVE-2013-0270 cannot be applied to 2012.1.1 as it introduces new
"features", thus Essex can only be fixed with the patch already
applied.

So closing the bugs for 2012.1.1 as you did looks correct. I added
some 'found' marking to the BTS (please see both bugs).

Thanks for your work done,

Regards,
Salvatore

More information about the Openstack-devel mailing list