USN-1730-1: OpenStack Keystone vulnerabilities

20 February 2013

Keystone could be made to crash or expose sensitive information over the network.

Releases

Packages

Details

Nathanael Burton discovered that Keystone did not properly verify disabled
users. An authenticated but disabled user would continue to have access
rights that were removed. (CVE-2013-0282)

Jonathan Murray discovered that Keystone would allow XML entity processing.
A remote unauthenticated attacker could exploit this to cause a denial of
service via resource exhaustion. Authenticated users could also use this to
view arbitrary files on the Keystone server. (CVE-2013-1664, CVE-2013-1665)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.10
Ubuntu 12.04

In general, a standard system update will make all the necessary changes.

Related notices