On 01/30/2013 11:33 PM, Thierry Carrez wrote: > This is an advance warning of a vulnerability discovered in OpenStack, > to give you, as downstream stakeholders, a chance to coordinate the > release of fixes and reduce the vulnerability window. Please treat the > following information as confidential until the proposed public > disclosure date (see below). > > Title: Keystone denial of service through invalid token requests > Reporter: Dan Prince (Red Hat) > Products: Keystone > Affects: All versions > > Description: > Dan Prince of Red Hat reported a vulnerability in token creation error > handling in Keystone. By requesting lots of invalid tokens, an > unauthenticated user may fill up logs on Keystone API servers disks, > potentially resulting in a denial of service attack against Keystone. > > Proposed patches: > See attached patches for current development tree (Grizzly) and the > Folsom and Essex series. Unless a flaw is discovered in them, these > proposed patches will be merged to Keystone master, stable/folsom and > stable/essex branches on the public disclosure date. > > CVE: > No CVE was assigned yet to those issues, so please let us know what we > should use. > > Proposed public disclosure date/time: > *Tuesday February 5th, 1500UTC* > Please do not make the issue public (or release public patches) before > the coordinated embargo date. > > Regards,
Hi Thierry and Dan, I got very confused about CVE-2013-0247 and CVE-2013-0270. I have already uploaded the fix for CVE-2013-0247 in Debian SID, and now I'm trying to understand what CVE-2013-0270 is about. My request about it in the Openstack development list was left without an answer, so I'm asking you directly, with Cc: to the already opened Debian bug. The problem is that the patches I've read for CVE-2013-0270 for Essex seem to do the exact same thing as the patches for CVE-2013-0247 (in a slightly different way), and of course, both patches are conflicting. So, could you please confirm what my guts are telling me, which is that this patch: http://anonscm.debian.org/gitweb/?p=openstack/keystone.git;a=commitdiff;h=b6fe7d8c7719996b3b5a8765dee55bb0eb2944df which fixes CVE-2013-0247 also fixes CVE-2013-0270 which must be a duplicate of CVE-2013-0247. If this isn't the case, please tell me what's going on, and what you think I should do to fix Keystone in Debian Wheezy. I can apply things "by hand" if needed... Please try to reply in a timely manner (as much as possible of course), as all this is public already. Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
