LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

keystone: multiple vulnerabilities

Package(s):keystone CVE #(s):CVE-2013-0282 CVE-2013-1664 CVE-2013-1665
Created:February 21, 2013 Updated:March 22, 2013
Description: From the Ubuntu advisory:

Nathanael Burton discovered that Keystone did not properly verify disabled users. An authenticated but disabled user would continue to have access rights that were removed. (CVE-2013-0282)

Jonathan Murray discovered that Keystone would allow XML entity processing. A remote unauthenticated attacker could exploit this to cause a denial of service via resource exhaustion. Authenticated users could also use this to view arbitrary files on the Keystone server. (CVE-2013-1664, CVE-2013-1665)

Alerts:
Ubuntu USN-1730-1 2013-02-20
Ubuntu USN-1731-1 2013-02-20
Ubuntu USN-1734-1 2013-02-21
Debian DSA-2634-1 2013-02-27
Fedora FEDORA-2013-2916 2013-03-04
Red Hat RHSA-2013:0596-01 2013-03-05
Ubuntu USN-1757-1 2013-03-07
Red Hat RHSA-2013:0670-01 2013-03-21
Red Hat RHSA-2013:0658-01 2013-03-21
Red Hat RHSA-2013:0657-01 2013-03-21
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds