(RHSA-2013:0806) Low: openstack-keystone security and bug fix update

ID RHSA-2013:0806
Type redhat
Reporter RedHat
Modified 2018-06-09T14:17:33


The openstack-keystone packages provide Keystone, a Python implementation of the OpenStack identity service API, which provides Identity, Token, Catalog, and Policy services.

These updated packages have been upgraded to upstream version 2012.2.4, which provides a number of bug fixes over the previous version. (BZ#950132)

This update also fixes the following security issue:

In environments using LDAP (Lightweight Directory Access Protocol), if debug-level logging was enabled (for example, by enabling it in "/etc/keystone/keystone.conf"), the LDAP server password was logged in plain text to a world-readable log file. Debug-level logging is not enabled by default. (CVE-2013-2006)

Additionally, this update also fixes the following bugs:

  • If the Keystone service incurred an HTTP error as a result of a transient network error, authentication tokens were listed as invalid. With this update, the Keystone service will now retry requests a few times before failing, which masks transient network errors. (BZ#919526)

  • The "/var/log/keystone/" directory was world-readable. With this update, world-read permissions have been removed. (BZ#956474)

All users of openstack-keystone are advised to upgrade to these updated packages, which correct these issues. After installing the updated packages, the Keystone service (openstack-keystone) will be restarted automatically.