RedHatRHSA-2013:0992(RHSA-2013:0992) Important: python-keystoneclient security, bug fix, and enhancement update
0.01 Low
EPSS
Percentile
83.5%
Python-keystoneclient is the client library and command line utility for
interacting with the OpenStack identity API.
A flaw was found in the way python-keystoneclient handled encrypted data
from memcached. Even when the memcache_security_strategy setting in
“/etc/swift/proxy-server.conf” was set to ENCRYPT to help prevent
tampering, an attacker on the local network, or possibly an unprivileged
user in a virtual machine hosted on OpenStack, could use this flaw to
bypass intended restrictions and modify data in memcached that will later
be used by services utilizing python-keystoneclient (such as Nova, Cinder,
Swift, Glance, and so on). (CVE-2013-2166)
A flaw was found in the way python-keystoneclient verified data from
memcached. Even when the memcache_security_strategy setting in
“/etc/swift/proxy-server.conf” was set to MAC to perform signature
checking, an attacker on the local network, or possibly an unprivileged
user in a virtual machine hosted on OpenStack, could use this flaw to
modify data in memcached that will later pass signature checking in
python-keystoneclient. (CVE-2013-2167)
Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Paul McMillan of Nebula as the original
reporter.
This update also fixes the following bug:
- python-webob1.2 (which can be installed in parallel with python-webob1.0)
was not found by python-keystoneclient. Attempting to import python-webob
from python-keystoneclient failed with a stack trace. This could also be
observed with other applications using python-keystoneclient, such as
OpenStack Swift. With this update, python-keystoneclient can import
python-webob1.2 independently from other installed versions. (BZ#971026)
Additionally, this update adds the following enhancement:
- This update adds support for Amazon Web Services (AWS) Signature Version
4 to python-keystoneclient. This makes python-keystoneclient compatible
with future versions of python-boto, which will use Signature Version 4 by
default. (BZ#970134)
All users of Red Hat OpenStack 3.0 (Grizzly) Preview are advised to install
these updated packages, which correct these issues and add this
enhancement.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| RedHat | 6 | noarch | python-keystoneclient-doc | < 0.2.3-5.el6ost | python-keystoneclient-doc-0.2.3-5.el6ost.noarch.rpm |
| RedHat | 6 | src | python-keystoneclient | < 0.2.3-5.el6ost | python-keystoneclient-0.2.3-5.el6ost.src.rpm |
| RedHat | 6 | noarch | python-keystoneclient | < 0.2.3-5.el6ost | python-keystoneclient-0.2.3-5.el6ost.noarch.rpm |
Related
