Python-keystoneclient is the client library and command line utility for
interacting with the OpenStack identity API.
A flaw was found in the way python-keystoneclient handled encrypted data
from memcached. Even when the memcache_security_strategy setting in
“/etc/swift/proxy-server.conf” was set to ENCRYPT to help prevent
tampering, an attacker on the local network, or possibly an unprivileged
user in a virtual machine hosted on OpenStack, could use this flaw to
bypass intended restrictions and modify data in memcached that will later
be used by services utilizing python-keystoneclient (such as Nova, Cinder,
Swift, Glance, and so on). (CVE-2013-2166)
A flaw was found in the way python-keystoneclient verified data from
memcached. Even when the memcache_security_strategy setting in
“/etc/swift/proxy-server.conf” was set to MAC to perform signature
checking, an attacker on the local network, or possibly an unprivileged
user in a virtual machine hosted on OpenStack, could use this flaw to
modify data in memcached that will later pass signature checking in
python-keystoneclient. (CVE-2013-2167)
Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Paul McMillan of Nebula as the original
reporter.
This update also fixes the following bug:
Additionally, this update adds the following enhancement:
All users of Red Hat OpenStack 3.0 (Grizzly) Preview are advised to install
these updated packages, which correct these issues and add this
enhancement.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | noarch | python-keystoneclient-doc | < 0.2.3-5.el6ost | python-keystoneclient-doc-0.2.3-5.el6ost.noarch.rpm |
RedHat | 6 | src | python-keystoneclient | < 0.2.3-5.el6ost | python-keystoneclient-0.2.3-5.el6ost.src.rpm |
RedHat | 6 | noarch | python-keystoneclient | < 0.2.3-5.el6ost | python-keystoneclient-0.2.3-5.el6ost.noarch.rpm |