Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <D6182642CE6D2D4FBFCDF99946E249883B2FF461@G4W3299.americas.hpqcorp.net>
Date: Thu, 9 May 2013 16:02:24 +0000
From: "Miller, Mark M (EB SW Cloud - R&D - Corvallis)" <mark.m.miller@...com>
To: Thierry Carrez <thierry@...nstack.org>, "openstack@...ts.launchpad.net"
	<openstack@...ts.launchpad.net>, "oss-security@...ts.openwall.com"
	<oss-security@...ts.openwall.com>, "openstack-announce@...ts.openstack.org"
	<openstack-announce@...ts.openstack.org>
Subject: RE: [Openstack] [OSSA 2013-011] Keystone tokens not immediately
 invalidated when user is deleted (CVE-2013-2059)

General question:

Looks like a fix has been written for Grizzly. Is there an official Grizzly patch release coming out that contains this and other fixes? 

Regards,

Mark Miller

-----Original Message-----
From: Openstack [mailto:openstack-bounces+mark.m.miller=hp.com@...ts.launchpad.net] On Behalf Of Thierry Carrez
Sent: Thursday, May 09, 2013 8:48 AM
To: openstack@...ts.launchpad.net; oss-security@...ts.openwall.com; openstack-announce@...ts.openstack.org
Subject: [Openstack] [OSSA 2013-011] Keystone tokens not immediately invalidated when user is deleted (CVE-2013-2059)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-011
CVE: CVE-2013-2059
Date: May 9, 2013
Title: Keystone tokens not immediately invalidated when user is deleted
Reporter: Sam Stoelinga
Products: Keystone
Affects: All versions

Description:
Sam Stoelinga reported a vulnerability in Keystone. When users are
deleted through Keystone v2 API, existing tokens for those users are not
immediately invalidated and remain valid for the duration of the token's
life (by default, up to 24 hours). This may result in users retaining
access when the administrator of the system thought them disabled. You
can workaround this issue by disabling a user before deleting it: in
that case the tokens belonging to the disabled user are immediately
invalidated. Keystone setups using the v3 API call to delete users are
unaffected.

Havana (development branch) fix:
https://review.openstack.org/#/c/28677/

Grizzly fix:
https://review.openstack.org/#/c/28678/

Folsom fix:
https://review.openstack.org/#/c/28679/

References:
https://bugs.launchpad.net/keystone/+bug/1166670
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2059

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRi8UUAAoJEFB6+JAlsQQjarMQAL64x2OlW3SbgOoCUDhi91lv
JdBStMO6/6H1Njjv0cLEAOE/50rAJSFLsdLlzSkXHimD9NWnXogpbaKj+gWd/Jbm
xDOgVtRDa8IgmaXVgA88tAO0/C6QHTQMBwBce8hVzMRRDZZ6zW7SAvofTBjdjmEj
tC8nwhxF/QAx/lHwIyWHQsGCip+z9JQxT+UCQ5ytQQbSnYI/wmRWMHCCcst7XFqn
H6Y9LQ8cLQAOZk0fHZx7wsFFVJ9XIiQcZxYSGPDn5/aRXlbbF6cWTy4UPB3jmMkp
wJ7XSjpXzPLsTCimXwYT9CkhUYjvC7Y9Yu2XF3VycFL+bifobIfPQ2ABNBqkd/U1
2iIMq8rCTIG+GEhgBMHyrBdXJclsdzY/mFOHZhOdCsLH2pO6EPCUjO3Zs6BPtYfk
zBNPRzrUXAnay+xjJhjQqxCOuskx/gxt2kOF00G1c/jZTytqzx7M4yf5GL9DYD6g
LLUZpb+Ia5voocBpK2484fXlouVoQY+encQopnSZb5GarsMgO1hRK8qtExeeR3+o
NPxeat15YaSvVaCgSL2msqnjIr6g3wXI1vLGdvmGny4hvNnLd+UeeQ9eT0Nc7LN9
aotaXRhDeYz71aFd8ZCYpUtoZ6I50/XnRT9+FrQ2QZ7cEKSVZjUv+mcEn0mCvZpC
hqKVwOK6strcPXDlQwZr
=e4jK
-----END PGP SIGNATURE-----

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@...ts.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.