Debian Keystone vulnerabilities

CVE-2014-5252 [MEDIUM] CVE-2014-5252: keystone - The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno ... The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/. Scope: local bookworm: resolved (fixed in 2014.1.2.1-1) bullseye: res

CVE-2014-0204 [MEDIUM] CVE-2014-0204: keystone - OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a ro... OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID. Scope: local bookworm: resolved (fixed in 2014.1-5) bullseye: resolved (fixed in 2014.1-5) forky: resolved (fixed in 2014.1

CVE-2014-2237 [MEDIUM] CVE-2014-2237: keystone - The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013... The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass

CVE-2014-5251 [MEDIUM] CVE-2014-5251: keystone - The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2... The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token. Scope: local bookworm: resolved (fixed in 2014.1.2.1-1) bullseye: resolved (fi

CVE-2013-1664 [MEDIUM] CVE-2013-1664: cinder - The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenSt... The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. Scope: local bookworm: resolved (fixe

CVE-2013-2157 [MEDIUM] CVE-2013-2157: keystone - OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP ... OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password. Scope: local bookworm: resolved (fixed in 2013.1.2-1) bullseye: resolved (fixed in 2013.1.2-1) forky: resolved (fixed in 2013.1.2-1) sid: resolved (fixed in 2013.1.2-1) trixie: resolved (fixe

CVE-2013-2059 [MEDIUM] CVE-2013-2059: keystone - OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1... OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token. Scope: local bookworm: resolved (fixed in 2013.1.1-2) bullseye: resolved (fixed in 2013.1.1-2) fo

CVE-2013-2255 [MEDIUM] CVE-2013-2255: keystone - HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possi... HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. Scope: local bookworm: resolved (fixed in 2014.1-1) bullseye: resolved (fixed in 2014.1-1) forky: resolved (fixed in 2014.1-1) sid: resolved (fixed in 2014.1-1) trixie: resolved (fixed in 2014.1-1)

CVE-2013-0247 [MEDIUM] CVE-2013-0247: keystone - OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and ... OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service (disk consumption) via many invalid token requests that trigger excessive generation of log entries. Scope: local bookworm: resolved (fixed in 2012.1.1-12) bullseye: resolved (fixed in 2012.1.1-12) forky:

CVE-2013-4294 [MEDIUM] CVE-2013-4294: keystone - The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Fol... The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token. Scope: local bookworm: resolved (fixed in 2013.1.3-2) bullseye: resolved (fixed in

CVE-2013-6391 [MEDIUM] CVE-2013-6391: keystone - The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Ic... The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request. Scope: local bookworm: resolved (fixed in 2013.2.1-1

CVE-2013-0270 [MEDIUM] CVE-2013-0270: keystone - A flaw was found in OpenStack Keystone. A remote attacker could exploit this vul... A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sending a large HTTP request, specifically by providing a long tenant name when requesting a token. This could lead to a denial of service, consuming excessive CPU and memory resources on the affected system. Scope: local bookworm: resolved (fixed in 2013.1.1-2) bullseye:

CVE-2013-4222 [MEDIUM] CVE-2013-4222: keystone - OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana b... OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token. Scope: local bookworm: resolved (fixed in 2013.1.3-1) bullseye: resolved (fixed in 2013.1.3-1) forky: resolved (fixed in 2013.1.3-1) sid

CVE-2013-0282 [MEDIUM] CVE-2013-0282: keystone - OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex... OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions. Scope: local bookworm: resolved (fixed in 2012.1.1-13) bullseye: resolved (fixed in 2012.1.1-13) fo

CVE-2013-1665 [MEDIUM] CVE-2013-1665: keystone - The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenSt... The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack. Scope: local bookworm: resolved (fixed in 2012.1.1-1

CVE-2013-2014 [MEDIUM] CVE-2013-2014: keystone - OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a d... OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests. Scope: local bookworm: resolved (fixed in 2013.1.1-2) bullseye: resolved (fixed in 2013.1.1-2) forky: resolved (fixed in 2013.1.1-2) sid: resolved (fixed in 2013.1.1-2) trixie: resolved (fixed in 2013.1.1-2)

CVE-2013-1865 [MEDIUM] CVE-2013-1865: keystone - OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks f... OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2013-1977 [LOW] CVE-2013-1977: keystone - OpenStack devstack uses world-readable permissions for keystone.conf, which allo... OpenStack devstack uses world-readable permissions for keystone.conf, which allows local users to obtain sensitive information such as the LDAP password and admin_token secret by reading the file. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2013-2104 [MEDIUM] CVE-2013-2104: keystone - python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does... python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2013-4477 [LOW] CVE-2013-4477: keystone - The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when remov... The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges. Scope: local bookworm: resolved (fixed in 2013.2-2) bullseye: resolved (fixed in 2013.2-2) forky: resolved (fixed in 2013.2-2) sid: resolved (fixed in 2013