Articles / Ubuntu: Security update for…

Ubuntu: Security update for Keystone

Dolph Mathews discovered that when roles are granted and revoked to users in Keystone, pre-existing tokens were not updated or invalidated to take the new roles into account. An attacker could use this to continue to access resources that have been revoked.

Updated packages are available from security.ubuntu.com.

==========================================================================
Ubuntu Security Notice USN-1564-1
September 13, 2012

keystone vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

OpenStack Keystone did not properly handle user role changes

Software Description:
- keystone: OpenStack identity service

Details:

Dolph Mathews discovered that when roles are granted and revoked to
users in Keystone, pre-existing tokens were not updated or invalidated
to take the new roles into account. An attacker could use this to
continue to access resources that have been revoked.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
 keystone                        2012.1+stable~20120824-a16a0ab9-0ubuntu2.2
 python-keystone                 2012.1+stable~20120824-a16a0ab9-0ubuntu2.2

In general, a standard system update will make all the necessary changes.

References:
 http://www.ubuntu.com/usn/usn-1564-1
 CVE-2012-4413

Package Information:
 https://launchpad.net/ubuntu/+source/keystone/2012.1+stable~20120824-a16a0ab9-0ubuntu2.2
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.