LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

keystone: multiple vulnerabilities

Package(s):keystone CVE #(s):CVE-2012-5571 CVE-2012-5563
Created:November 29, 2012 Updated:December 11, 2012
Description:

From the Ubuntu advisory:

Vijaya Erukala discovered that Keystone did not properly invalidate EC2-style credentials such that if credentials were removed from a tenant, an authenticated and authorized user using those credentials may still be allowed access beyond the account owner's expectations. (CVE-2012-5571)

It was discovered that Keystone did not properly implement token expiration. A remote attacker could use this to continue to access an account that is disabled or has a changed password. This issue was previously fixed as CVE-2012-3426 but was reintroduced in Ubuntu 12.10. (CVE-2012-5563)

Alerts:
Ubuntu USN-1641-1 2012-11-28
Red Hat RHSA-2012:1556-01 2012-12-10
Red Hat RHSA-2012:1557-01 2012-12-10
Fedora FEDORA-2012-19341 2012-12-11
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds