Explore top 10 tips to secure your open-source projects now. Read More
×
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Python-keystoneclient is a client library and a command-line utility
for interacting with the OpenStack Identity API.
It was discovered that some items in the S3Token configuration as used by
python-keystoneclient were incorrectly evaluated as strings, an issue
similar to CVE-2014-7144. If the "insecure" option was set to "false", the
option would be evaluated as true, resulting in TLS connections being
vulnerable to man-in-the-middle attacks. Note: The "insecure" option
defaults to false, so setups that do not specifically define
"insecure=false" are not affected. (CVE-2015-1852)
Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Brant Knudson from IBM as the original reporter.
All python-keystoneclient users are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue.
https://access.redhat.com/security/cve/CVE-2015-1852 https://access.redhat.com/security/updates/classification/#moderate
Red Hat Enterprise Linux OpenStack Platform 5.0 for RHEL 6:
Source:
python-keystoneclient-0.9.0-6.el6ost.src.rpm
noarch:
python-keystoneclient-0.9.0-6.el6ost.noarch.rpm
python-keystoneclient-doc-0.9.0-6.el6ost.noarch.rpm
Red Hat Enterprise Linux OpenStack Platform 5.0 for RHEL 7:
Source:
python-keystoneclient-0.9.0-6.el7ost.src.rpm
noarch:
python-keystoneclient-0.9.0-6.el7ost.noarch.rpm
python-keystoneclient-doc-0.9.0-6.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Updated python-keystoneclient packages that fix one security issue arenow available for Red Hat Enterprise Linux OpenStack Platform 5.0.Red Hat Product Security has rated this update as having Moderate securityimpact. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section.
Red Hat Enterprise Linux OpenStack Platform 5.0 for RHEL 6 - noarch
Red Hat Enterprise Linux OpenStack Platform 5.0 for RHEL 7 - noarch
1209527 - CVE-2015-1852 OpenStack keystonemiddleware/keystoneclient: S3Token TLS cert verification option not honored
Get the latest Linux and open source security news straight to your inbox.