There is a flaw in python-keystoneclient which does not verify the expiry of PKI tokens. It allows an authenticated user to use a token or even a revoked token after its expiry.
lists.opensuse.org/opensuse-updates/2013-06/msg00198.html
rhn.redhat.com/errata/RHSA-2013-0944.html
www.openwall.com/lists/oss-security/2013/05/28/7
www.ubuntu.com/usn/USN-1851-1
www.ubuntu.com/usn/USN-1875-1
access.redhat.com/errata/RHSA-2013:0944
access.redhat.com/security/cve/CVE-2013-2104
access.redhat.com/security/updates/classification/#moderate
bugs.launchpad.net/python-keystoneclient/+bug/1179615
bugzilla.redhat.com/show_bug.cgi?id=904351
bugzilla.redhat.com/show_bug.cgi?id=928558
bugzilla.redhat.com/show_bug.cgi?id=965852
rhn.redhat.com/errata/RHSA-2013-0944.html