Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Ubuntu 15.04/14.04 LTS USN-2705-1 Moderate: Keystone MITM Vulnerability

ubuntu
Calendar Grey August 6, 2015
Scroller Ubuntu
Secure your Keystone deployment on Ubuntu by updating packages, reviewing configs, enforcing secure networking, and regularly monitoring logs for better protection
Keystone could be made to expose sensitive information over thenetwork.

Summary

Keystone could be made to expose sensitive information over the

network.

Software Description:

- python-keystoneclient: Client library for OpenStack Identity API

- python-keystonemiddleware: Client library for OpenStack Identity API

Details:

Qin Zhao discovered Keystone disabled certification verification when

the "insecure" option is set in a paste configuration (paste.ini)

file regardless of the value, which allows remote attackers to conduct

man-in-the-middle attacks via a crafted certificate. (CVE-2014-7144)

Brant Knudson discovered Keystone disabled certification verification when

the "insecure" option is set in a paste configuration (paste.ini)

file regardless of the value, which allows remote attackers to conduct

man-in-the-middle attacks via a crafted certificate. (CVE-2015-1852)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.04:
  python-keystoneclient           1:1.2.0-0ubuntu1.1
  python-keystonemiddleware       1.5.0-0ubuntu1.1

Ubuntu 14.04 LTS:
  python-keystoneclient           1:0.7.1-ubuntu1.2

After a standard system update you need to restart Keystone to make
all the necessary changes.

References

CVE-2014-7144, CVE-2015-1852

Severity
important
Lowest
Low
Medium
High
Critical

August 06, 2015

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.