Security Advisory Important: python-keystoneclient security update

Advisory: RHSA-2014:0382-2
Type: Security Advisory
Severity: Important
Issued on: 2014-04-09
Last updated on: 2014-04-09
Affected Products: Red Hat OpenStack 4.0
CVEs (cve.mitre.org): CVE-2014-0105

Details

Updated python-keystoneclient packages that fix one security issue are now
available for Red Hat Enterprise Linux OpenStack Platform 4.0.

The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Python-keystoneclient is a client library and a command line utility for
interacting with the OpenStack Identity API. The OpenStack Identity
auth_token middleware component handles the authentication of tokens
with keystone.

When using the auth_token middleware with the memcached token cache
enabled, a token for a different identity could be returned. An
authenticated user could use this flaw to escalate their privileges by
making repeated requests that could eventually allow the user to acquire
the administrator's identity. Note that only OpenStack Identity setups
using auth_token with memcached were affected. (CVE-2014-0105)

Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Kieran Spear from the University of Melbourne as the
original reporter.

The python-keystoneclient package has been upgraded to version 0.7.1.
Additionally, the python-six package has been upgraded to version 1.5.2,
required by the updated python-keystoneclient package.

All python-keystoneclient users are advised to upgrade to these updated
packages, which correct this issue. After installing this update, all
OpenStack services using auth_token must be restarted for this update to
take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat OpenStack 4.0

SRPMS:
python-keystoneclient-0.7.1-2.el6ost.src.rpm
File outdated by:  RHSA-2015:0020
    MD5: c439ab7981e9caf446a06943eac51948
SHA-256: 36247d97acd70651952a6cc45c94e63a78e1661c39cf8acbaed18ff2c2778064
python-six-1.5.2-1.el6.src.rpm     MD5: ecc841aabc7bb8b07f48e7ff7647c339
SHA-256: d6073321575495897426e34da7b3c953f207babef37776341867503578a1b771
 
x86_64:
python-keystoneclient-0.7.1-2.el6ost.noarch.rpm
File outdated by:  RHSA-2015:0020
    MD5: e6eca03f51543476e2ce82023992fd21
SHA-256: 03e48e9ff8ece01b7b8ca7def340c55527283b63f4bacb56fbf0c9ebf6956e4b
python-keystoneclient-doc-0.7.1-2.el6ost.noarch.rpm
File outdated by:  RHSA-2015:0020
    MD5: 754cd67df01ee42539e4b72ae5371228
SHA-256: bfb9cfd2b9b87eac1a35abd3a22e123107e253d01336c27eca02816fa71fa1f2
python-six-1.5.2-1.el6.noarch.rpm     MD5: 397aca51deafe805c7dd709356b2aa3a
SHA-256: d20cb9360975c627aa6792e11568f591449bf35a8c4e1ee6bc0f30bb302ceadd
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1082165 - CVE-2014-0105 python-keystoneclient: Potential context confusion in Keystone middleware


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/