Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 519
Alerts This Week
Warning Icon 1 519

Ubuntu 12.04 LTS: USN-1641-1 Critical: Keystone Access Flaw

ubuntu
Calendar Grey November 28, 2012
Scroller Ubuntu
Critical flaws in the Keystone service on Ubuntu expose sensitive files to unauthorized network access. A prompt update is advised for vulnerable installations.
Keystone would allow unintended access to files over the network.

Summary

Keystone would allow unintended access to files over the network.

Software Description:

- keystone: OpenStack identity service

Details:

Vijaya Erukala discovered that Keystone did not properly invalidate

EC2-style credentials such that if credentials were removed from a tenant,

an authenticated and authorized user using those credentials may still be

allowed access beyond the account owner's expectations. (CVE-2012-5571)

It was discovered that Keystone did not properly implement token

expiration. A remote attacker could use this to continue to access an

account that is disabled or has a changed password. This issue was

previously fixed as CVE-2012-3426 but was reintroduced in Ubuntu 12.10.

(CVE-2012-5563)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
  python-keystone                 2012.2-0ubuntu1.2

Ubuntu 12.04 LTS:
  python-keystone                 2012.1+stable~20120824-a16a0ab9-0ubuntu2.3

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-1641-1

CVE-2012-5563, CVE-2012-5571

Severity
critical
Lowest
Low
Medium
High
Critical

=========================================================================Ubuntu Security Notice USN-1641-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.