python-keystoneclient is vulnerable to authorization bypass. An attacker with direct write access to the memcache backend is able to insert malicious data and bypass the encryption to tamper the encrypted data or modify data in memcached. Only setups that use memcache caching in the Keystone middleware and ENCRYPT
or MAC
as the memcache_security_strategy
are affected.
lists.fedoraproject.org/pipermail/package-announce/2013-August/113944.html
rhn.redhat.com/errata/RHSA-2013-0992.html
www.openwall.com/lists/oss-security/2013/06/19/5
www.securityfocus.com/bid/60684
access.redhat.com/errata/RHSA-2013:0992
access.redhat.com/security/cve/cve-2013-2166
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=971026
bugzilla.redhat.com/show_bug.cgi?id=974271
bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2166
bugzilla.suse.com/show_bug.cgi?id=CVE-2013-2166
rhn.redhat.com/errata/RHSA-2013-0992.html
security-tracker.debian.org/tracker/CVE-2013-2166