[Openstack-devel] Bug#708515: Bug#708515: keystone: CVE-2013-2014 DoS via large POST requests
Thomas Goirand
thomas at goirand.fr
Thu May 16 11:50:15 UTC 2013
On 05/16/2013 05:22 PM, Nico Golde wrote:
> Package: keystone
> Severity: grave
> Tags: security patch
>
> Hi,
> the following vulnerability was published for keystone.
>
> CVE-2013-2014[0]:
> | Concurrent requests with large POST body can crash the keystone process.
> | This can be used by Malicious and lead to DOS to Cloud Service Provider.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> Upstream patch: https://review.openstack.org/#/c/22661/
>
> Seems to be fixed for experimental in 2013.1-1.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2014
> http://security-tracker.debian.org/tracker/CVE-2013-2014
FYI, the patch for Grizzly is there:
https://review.openstack.org/#/c/19567/
Though I don't think it will be trivial to backport. I have attached the
corresponding git commit from the Grizzly (eg: 2013.1.x) branch.
Indeed, 2013.1.1 isn't vulnerable (I could see the patch in the git
log). I have uploaded earlier today that version to Sid (and that was
unrelated to this issue, I was just working on it).
Cheers,
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: limit-the-size-of-http-requests.patch
Type: text/x-diff
Size: 26010 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20130516/694c5560/attachment-0001.patch>
More information about the Openstack-devel
mailing list