CVE-2013-6391

Publication date 11 December 2013

Last updated 24 July 2024

Ubuntu priority

The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
keystone	13.10 saucy	Fixed 1:2013.2-0ubuntu1.2
	13.04 raring	Ignored
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not in release

Notes

mdeslaur

OSSA 2013-032

jdstrand

per upstream, Ubuntu 13.04 not affected due to improper check which disables impersonation entirely. Upstream has not released a patch yet for grizzly (Ubuntu 13.04) as of 2013-12-17. A fix for Ubuntu 13.04 may happen in a future update.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
keystone	Upstream: https://review.openstack.org/61425 Upstream: https://review.openstack.org/61419

References

Related Ubuntu Security Notices (USN)