Explore top 10 tips to secure your open-source projects now. Read More
×
Keystone could be made to expose sensitive information over the
network.
Software Description:
- python-keystoneclient: Client library for OpenStack Identity API
- python-keystonemiddleware: Client library for OpenStack Identity API
Details:
Qin Zhao discovered Keystone disabled certification verification when
the "insecure" option is set in a paste configuration (paste.ini)
file regardless of the value, which allows remote attackers to conduct
man-in-the-middle attacks via a crafted certificate. (CVE-2014-7144)
Brant Knudson discovered Keystone disabled certification verification when
the "insecure" option is set in a paste configuration (paste.ini)
file regardless of the value, which allows remote attackers to conduct
man-in-the-middle attacks via a crafted certificate. (CVE-2015-1852)
The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: python-keystoneclient 1:1.2.0-0ubuntu1.1 python-keystonemiddleware 1.5.0-0ubuntu1.1 Ubuntu 14.04 LTS: python-keystoneclient 1:0.7.1-ubuntu1.2 After a standard system update you need to restart Keystone to make all the necessary changes.
CVE-2014-7144, CVE-2015-1852
Get the latest Linux and open source security news straight to your inbox.