- Issued:
- 2014-09-30
- Updated:
- 2014-09-30
RHBA-2014:1347 - Bug Fix Advisory
Synopsis
openstack-keystone bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated the openstack-keystone packages that fix various bugs are now
available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat
Enterprise Linux 7.0.
Description
Red Hat Enterprise Linux OpenStack Platform provides the facilities for
building a private or public infrastructure-as-a-service (IaaS) cloud
running on commonly available physical hardware. This advisory includes
packages for:
- OpenStack Identity service ("keystone").
The OpenStack Identity service authenticates and authorizes OpenStack users
by keeping track of users and their permitted activities. The Identity
service supports multiple forms of authentication including user name and
password credentials, token-based systems, and AWS-style logins.
This update addresses the following issues:
- Identity service returned different response codes for GET and HEAD
requests, even though the HTTP specification stated that the same response
codes should be returned. As a result, when Identity service was deployed
in Apache httpd with mod_wsgi, clients received a different response as
compared to running 'keystone'all' command, since mod_wsgi translated HEAD
requests into GET requests. This led to client interoperability issues when
Identity service was deployed in different web servers.
With this update, Identity service returns consistent responses for HEAD
and GET requests. And client interoperability is improved by consistent API
responses, regardless of the web server that Identity service is deployed
on. (BZ#1122536)
- Identity Service listened on a port that was within the ephemeral port
range. Other applications which use ephemeral ports could end up using this
port before the Identity service was able to bind to it at start-up. As a
result, Identity service failed to start since it's port was already in use
by another application.
With this update, Identity service reserves its port using the sysctl.d
interface. As a result, Identity service's port will no longer be used as
an ephemeral port for other application, allowing Identity service to start
properly without port conflict. (BZ#1130213)
- Previously, when the Identity service encountered LDAP attributes with
binary values, it failed to properly parse the values. This included
attributes that Identity service is not even configured to use when
Identity service's LDAP search scope is set to 'subtree'. As a result,
LDAP entries containing binary LDAP attribute values were not usable with
the Identity service and it led to failed user lookup and authentication
when using LDAP backend.
With this update, Identity service checks properly for attribute values
parsing errors and skips individual attributes that it does not understand.
As a result, LDAP entries containing binary attribute values work properly
with Identity service. (BZ#1138684)
Solution
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 runs on Red Hat
Enterprise Linux 7.0.
The Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 Release Notes
contain the following:
- An explanation of the way in which the provided components interact to
form a working cloud computing environment.
- Technology Previews, Recommended Practices, and Known Issues.
- The channels required for Red Hat Enterprise Linux OpenStack Platform 5
for RHEL 7, including which channels need to be enabled and disabled.
The Release Notes are available at:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html
This update is available through the Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
Affected Products
- Red Hat OpenStack 5.0 for RHEL 7 x86_64
Fixes
- BZ - 1122536 - HEAD and GET inconsistencies in Keystone
- BZ - 1130213 - exclude default port 35357 from the ephemeral port range
- BZ - 1138684 - Keystone LDAP identity driver crashes on binary attributes
CVEs
(none)
Red Hat OpenStack 5.0 for RHEL 7
SRPM | |
---|---|
openstack-keystone-2014.1.2.1-2.el7ost.src.rpm | SHA-256: 2ff2ed26d30580544b6b3aadf0ca8b96a54fe1b1dc06d42111c6d101866d83e5 |
x86_64 | |
openstack-keystone-2014.1.2.1-2.el7ost.noarch.rpm | SHA-256: bbb3330dd351ecfddbd9a364fa9540fb11e1a29e7b733e0f89b0d81031086d51 |
openstack-keystone-doc-2014.1.2.1-2.el7ost.noarch.rpm | SHA-256: c626e9dbaadfceb95e3ae0dfcc4234b685d013311221dd1fb6560fbd2070885e |
python-keystone-2014.1.2.1-2.el7ost.noarch.rpm | SHA-256: 076b3635115053165cdd9c2148375e8e4da68ce15ca948505ee82112bba123bb |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.