Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
89
security advisoryfedoraupdateFedora 44 Openbao Critical Sec Fix DoS Token Management 2026-c7450bfed6
Update to upstream 2.5.3, fix CVE-2026-34986, CVE-2026-39388, CVE-2026-39396, CVE-2026-40264. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-c7450bfed6 2026-05-01 03:11:02.715680+00:00 -------------------------------------------------------------------------------- Name : openbao Product : Fedora 44 Version : 2.5.3 Release : 1.fc44 URL : https://openbao.org Summary : A tool for securely accessing secrets Description : Openbao secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Openbao handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more. -------------------------------------------------------------------------------- Update Information: Update to upstream 2.5.3, fix CVE-2026-34986, CVE-2026-39388, CVE-2026-39396, CVE-2026-40264 -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 21 2026 Dave Dykstra - 2.5.3-1 - update to upstream 2.5.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2455630 - CVE-2026-34986 openbao: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2455630 [ 2 ] Bug #2459846 - openbao-2.5.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2459846 [ 3 ] Bug #2460057 - CVE-2026-39388 openbao: OpenBao: Token renewal vulnerability via incorrect certificate matching in Certificate authentication. [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460057 [ 4 ] Bug #2460059 - CVE-2026-39396 openbao: OpenBao: Denial of Service viadecompression bomb in OCI plugin extraction [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460059 [ 5 ] Bug #2460061 - CVE-2026-40264 openbao: OpenBao: Unauthorized token management by privileged administrator [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460061 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-c7450bfed6' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
May 01, 2026
•Critical
Fedora
89
security advisoryfedoraDoSFedora 43 openbao Security Update 2026-41918b2b57 CVE Fixes DoS
Update to upstream 2.5.3, fix CVE-2026-34986, CVE-2026-39388, CVE-2026-39396, CVE-2026-40264. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-41918b2b57 2026-05-01 03:01:50.286480+00:00 -------------------------------------------------------------------------------- Name : openbao Product : Fedora 43 Version : 2.5.3 Release : 1.fc43 URL : https://openbao.org Summary : A tool for securely accessing secrets Description : Openbao secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Openbao handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more. -------------------------------------------------------------------------------- Update Information: Update to upstream 2.5.3, fix CVE-2026-34986, CVE-2026-39388, CVE-2026-39396, CVE-2026-40264 -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 21 2026 Dave Dykstra - 2.5.3-1 - update to upstream 2.5.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2455630 - CVE-2026-34986 openbao: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2455630 [ 2 ] Bug #2459846 - openbao-2.5.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2459846 [ 3 ] Bug #2460057 - CVE-2026-39388 openbao: OpenBao: Token renewal vulnerability via incorrect certificate matching in Certificate authentication. [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460057 [ 4 ] Bug #2460059 - CVE-2026-39396 openbao: OpenBao: Denial of Service viadecompression bomb in OCI plugin extraction [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460059 [ 5 ] Bug #2460061 - CVE-2026-40264 openbao: OpenBao: Unauthorized token management by privileged administrator [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460061 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-41918b2b57' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
May 01, 2026
•Critical
Fedora
89
security advisoryfedoraupdateFedora 42 openbao 2.5.3 Security Advisory FEDORA-2026-c008e6a5da
Update to upstream 2.5.3, fix CVE-2026-34986, CVE-2026-39388, CVE-2026-39396, CVE-2026-40264. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-c008e6a5da 2026-05-01 01:22:47.586665+00:00 -------------------------------------------------------------------------------- Name : openbao Product : Fedora 42 Version : 2.5.3 Release : 1.fc42 URL : https://openbao.org Summary : A tool for securely accessing secrets Description : Openbao secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Openbao handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more. -------------------------------------------------------------------------------- Update Information: Update to upstream 2.5.3, fix CVE-2026-34986, CVE-2026-39388, CVE-2026-39396, CVE-2026-40264 -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 21 2026 Dave Dykstra - 2.5.3-1 - update to upstream 2.5.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2455630 - CVE-2026-34986 openbao: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2455630 [ 2 ] Bug #2459846 - openbao-2.5.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2459846 [ 3 ] Bug #2460057 - CVE-2026-39388 openbao: OpenBao: Token renewal vulnerability via incorrect certificate matching in Certificate authentication. [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460057 [ 4 ] Bug #2460059 - CVE-2026-39396 openbao: OpenBao: Denial of Service viadecompression bomb in OCI plugin extraction [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460059 [ 5 ] Bug #2460061 - CVE-2026-40264 openbao: OpenBao: Unauthorized token management by privileged administrator [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460061 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-c008e6a5da' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
May 01, 2026
•Important
Fedora
98
security advisorymoderateRed HatRed Hat OpenStack: 2014:0580-01 Moderate: Keystone Token Management Issue
Updated openstack-keystone packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-keystone security and bug fix update Advisory ID: RHSA-2014:0580-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2014:0580.html Issue date: 2014-05-29 CVE Names: CVE-2014-2237 ==================================================================== 1. Summary: Updated openstack-keystone packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux OpenStack Platform 4.0 - noarch 3. Description: The OpenStack Identity service (keystone) authenticates and authorizes OpenStack users by keeping track of users and their permitted activities. The Identity service supports multiple forms of authentication including user name and password credentials, token-based systems, and AWS-style logins. The openstack-keystone packages have been upgraded to upstream version 2013.2.3, which provides a number of bug fixes over the previous version. The following security issue is also fixed with this release: It was found that the memcached token back end of OpenStack Identity did not correctly invalidate a revoked trust token, allowing users with revoked tokens to retain access to services they should no longer be able to access. Note that only OpenStack Identity setups using thememcached back end for tokens were affected. (CVE-2014-2237) All openstack-keystone users are advised to upgrade to these updated packages, which correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1071434 - CVE-2014-2237 openstack-keystone: trustee token revocation does not work with memcache backend 1083415 - keystone qpid reconnection delay must be more accurate 1085933 - Replace python-oauth2 with oauthlib 6. Package List: Red Hat Enterprise Linux OpenStack Platform 4.0: Source: noarch: openstack-keystone-2013.2.3-4.el6ost.noarch.rpm openstack-keystone-doc-2013.2.3-4.el6ost.noarch.rpm python-keystone-2013.2.3-4.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2014-2237 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. . Recent updates to openstack-keystone packages offer enhancements and important security patches for the Red Hat OpenStack Platform. It is advised to proceed with the upgrade.. OpenStack Keystone Update, Red Hat OpenStack Platform, Security Fixes. . LinuxSecurity.com Team
May 29, 2014
Red Hat
98
security advisorysecurity updatemoderate severityRed Hat OpenStack 3.0 RHSA-2014:0368-01 Moderate Token Flaws
Updated openstack-keystone packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. The Red Hat Security Response Team has rated this update as having Moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-keystone security update Advisory ID: RHSA-2014:0368-01 Product: Red Hat OpenStack Advisory URL: https://access.redhat.com/errata/RHSA-2014:0368.html Issue date: 2014-04-03 CVE Names: CVE-2013-6391 CVE-2014-2237 ==================================================================== 1. Summary: Updated openstack-keystone packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch 3. Description: The OpenStack Identity service (keystone) authenticates and authorizes OpenStack users by keeping track of users and their permitted activities. The Identity service supports multiple forms of authentication including user name and password credentials, token-based systems, and AWS-style logins. It was found that the ec2token API in keystone, which is used to generate EC2-style (Amazon Elastic Compute Cloud) credentials, could generate a token not scoped to a particular trust when creating a token from a received trust-scoped token. A remote attacker could use this flaw to retrieve a token that elevated their privileges to all of the trustor's roles. Note that only OpenStack Identity setups that have EC2-style authentication enabled were affected. (CVE-2013-6391) It was found that the the memcache token back end of OpenStack Identitydid not correctly invalidate a revoked trust token, allowing users with revoked tokens to retain access to services they should no longer be able to access. Note that only OpenStack Identity setups using the memcache back end for tokens were affected. (CVE-2014-2237) Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting CVE-2013-6391. Upstream acknowledges Steven Hardy of Red Hat as the original reporter of CVE-2013-6391. All openstack-keystone users are advised to upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1039164 - CVE-2013-6391 OpenStack Keystone: trust circumvention through EC2-style tokens 1071434 - CVE-2014-2237 openstack-keystone: trustee token revocation does not work with memcache backend 6. Package List: OpenStack 3: Source: noarch: openstack-keystone-2013.1.5-2.el6ost.noarch.rpm openstack-keystone-doc-2013.1.5-2.el6ost.noarch.rpm python-keystone-2013.1.5-2.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2013-6391 https://access.redhat.com/security/cve/CVE-2014-2237 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2014 Red Hat, Inc. . Cautionary Red Hat alert regarding openstack-keystone, prompting critical update measures to address vulnerabilities.. Red Hat, OpenStack, Keystone, Security Update, Token Management. . LinuxSecurity.com Team
Apr 03, 2014
Red Hat
172
security advisorysecurity issueaccess controlUbuntu: USN-2002-1 Critical: Keystone Token Management Access Issue
Keystone would improperly grant access to invalid tokens under certain circumstances.. =========================================================================Ubuntu Security Notice USN-2002-1 October 23, 2013 keystone vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.04 - Ubuntu 12.10 Summary: Keystone would improperly grant access to invalid tokens under certain circumstances. Software Description: - keystone: OpenStack identity service Details: Chmouel Boudjnah discovered that Keystone did not properly invalidate user tokens when a tenant was disabled which allowed an authenticated user to retain access via the token. (CVE-2013-4222) Kieran Spear discovered that Keystone did not properly verify PKI tokens when performing revocation when using the memcache and KVS backends. An authenticated attacker could exploit this to bypass intended access restrictions. (CVE-2013-4294) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.04: python-keystone 1:2013.1.3-0ubuntu1.1 Ubuntu 12.10: python-keystone 2012.2.4-0ubuntu3.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-2002-1 CVE-2013-4222, CVE-2013-4294 Package Information: https://launchpad.net/ubuntu/+source/keystone/1:2013.1.3-0ubuntu1.1 https://launchpad.net/ubuntu/+source/keystone/2012.2.4-0ubuntu3.2 . Recent security flaws in Ubuntu's Keystone can lead to unauthorized system access through invalid tokens. Please refer to the update guidelines provided.. OpenStack Identity Service, Token Management, Access Control. . Severity: Critical. LinuxSecurity.com Team
Oct 23, 2013
•Critical
Ubuntu
98
security advisoryRed Hatadministrative accessRed Hat: RHSA-2012-1378 Important: Keystone Access Issues Resolved
Updated openstack-keystone packages that fix multiple security issues are now available for Red Hat OpenStack Essex. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Important: openstack-keystone security update Advisory ID: RHSA-2012:1378-01 Product: Red Hat OpenStack Advisory URL: https://access.redhat.com/errata/RHSA-2012:1378.html Issue date: 2012-10-16 CVE Names: CVE-2012-3542 CVE-2012-4413 CVE-2012-4456 CVE-2012-4457 ==================================================================== 1. Summary: Updated openstack-keystone packages that fix multiple security issues are now available for Red Hat OpenStack Essex. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHOS Essex Release - noarch 3. Description: Keystone is a Python implementation of the OpenStack (https://www.openstack.org/) identity service API. It was found that Keystone incorrectly handled authorization failures. If a client attempted to change their tenant membership to one they are not authorized to join, Keystone correctly returned a not authorized error; however, the client was still added to the tenant. Users able to access the Keystone administrative API could use this flaw to add any user to any tenant. (CVE-2012-3542) When logging into Keystone, the user receives a token to use for authentication with other services managed by Keystone. It was found that Keystone failed to revoke tokens if privileges were revoked, allowing usersto retain access toresources they should no longer be able to access while their token remains valid. (CVE-2012-4413) It was found that the Keystone administrative API was missing authentication for certain actions. Users able to access the Keystone administrative API could use this flaw to add, start, and stop services, as well as list the roles for any user. (CVE-2012-4456) It was found that Keystone incorrectly handled disabled tenants. A user belonging to a disabled tenant could use this flaw to continue accessing resources as if the tenant were not disabled. (CVE-2012-4457) Red Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and CVE-2012-4413. All users of openstack-keystone are advised to upgrade to these updated packages, which upgrade openstack-keystone to upstream version 2012.1.2 and correct these issues. After installing the updated packages, the Keystone service (openstack-keystone) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 852510 - CVE-2012-3542 OpenStack Keystone: Lack of authorization for adding users to tenants 855491 - CVE-2012-4413 OpenStack-Keystone: role revocation token issues 861179 - CVE-2012-4456 Openstack Keystone 2012.1.1: fails to validate tokens in Admin API 861180 - CVE-2012-4457 OpenStack Keystone 2012.1.1: fails to raise Unauthorized user error for disabled tenant 6. Package List: RHOS Essex Release: Source: noarch: openstack-keystone-2012.1.2-4.el6.noarch.rpm openstack-keystone-doc-2012.1.2-4.el6.noarch.rpm python-keystone-2012.1.2-4.el6.noarch.rpm python-keystone-auth-token-2012.1.2-4.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are availablefrom https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2012-3542 https://access.redhat.com/security/cve/CVE-2012-4413 https://access.redhat.com/security/cve/CVE-2012-4456 https://access.redhat.com/security/cve/CVE-2012-4457 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQfaASXlSAg2UNWIIRAlmyAJ9YE/4jNRDDrU18rjynELDlw52hgACeOp5r e2Q/ySsu1TmMhaCBp8zJVtg=7DOl -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Oct 16, 2012
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!