Articles / Ubuntu: Security update for...

Ubuntu: Security update for Keystone

Nathanael Burton discovered that Keystone did not properly verify disabled users. An authenticated but disabled user would continue to have access rights that were removed. Jonathan Murray discovered that Keystone would allow XML entity processing. A remote unauthenticated attacker could exploit this to cause a denial of service via resource exhaustion. Authenticated users could also use this to view arbitrary files on the Keystone server.

Updated packages are available from security.debian.org.

==========================================================================
Ubuntu Security Notice USN-1730-1
February 20, 2013

keystone vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Keystone could be made to crash or expose sensitive information over the
network.

Software Description:
- keystone: OpenStack identity service

Details:

Nathanael Burton discovered that Keystone did not properly verify disabled
users. An authenticated but disabled user would continue to have access
rights that were removed. (CVE-2013-0282)

Jonathan Murray discovered that Keystone would allow XML entity processing.
A remote unauthenticated attacker could exploit this to cause a denial of
service via resource exhaustion. Authenticated users could also use this to
view arbitrary files on the Keystone server. (CVE-2013-1664, CVE-2013-1665)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
 python-keystone                 2012.2.1-0ubuntu1.2

Ubuntu 12.04 LTS:
 python-keystone                 2012.1+stable~20120824-a16a0ab9-0ubuntu2.5

In general, a standard system update will make all the necessary changes.

References:
 http://www.ubuntu.com/usn/usn-1730-1
 CVE-2013-0282, CVE-2013-1664, CVE-2013-1665

Package Information:
 https://launchpad.net/ubuntu/+source/keystone/2012.2.1-0ubuntu1.2

https://launchpad.net/ubuntu/+source/keystone/2012.1+stable~20120824-a16a0ab9-0ubuntu2.5

RSS Recent comments

30 Aug 2013 05:54 Avatar cernytroenhemv

Is there a specific version we should update to?
I can't fix this.

18 Dec 2013 10:04 Avatar zabzyg Thumbs up

great job

Screenshot

Project Spotlight

Pybik

A 3D Rubik's cube game.

Screenshot

Project Spotlight

aria2

A multi-protocol, multi-source, cross-platform download utility.