-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1337
               Moderate: openstack-keystone security update
                             26 September 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openstack-keystone
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
                   Linux variants
Impact/Access:     Unauthorised Access -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-4294  

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2013-1285.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running openstack-keystone check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: openstack-keystone security update
Advisory ID:       RHSA-2013:1285-01
Product:           Red Hat OpenStack
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-1285.html
Issue date:        2013-09-25
CVE Names:         CVE-2013-4294 
=====================================================================

1. Summary:

Updated openstack-keystone packages that fix one security issue are now
available for Red Hat OpenStack 3.0.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

OpenStack 3 - noarch

3. Description:

The openstack-keystone packages provide Keystone, a Python implementation
of the OpenStack identity service API, which provides Identity, Token,
Catalog, and Policy services.

It was found that Keystone did not correctly handle revoked PKI tokens,
allowing users with revoked tokens to retain access to resources they
should no longer be able to access. This issue only affected systems using
PKI tokens with the memcache or KVS token back ends. (CVE-2013-4294)

Red Hat would like to thank Thierry Carrez of OpenStack upstream for
reporting this issue. Upstream acknowledges Kieran Spear of University of
Melbourne as the original reporter.

All users of openstack-keystone are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, the Keystone service (openstack-keystone) will be restarted
automatically.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

1004452 - CVE-2013-4294 OpenStack: Keystone Token revocation failure using Keystone memcache/KVS backends

6. Package List:

OpenStack 3:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-keystone-2013.1.3-2.el6ost.src.rpm

noarch:
openstack-keystone-2013.1.3-2.el6ost.noarch.rpm
openstack-keystone-doc-2013.1.3-2.el6ost.noarch.rpm
python-keystone-2013.1.3-2.el6ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-4294.html
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFSQw0iXlSAg2UNWIIRAnmyAJ4iAkMhCtBcGxWaXHWzjmgY6inATwCZAQVj
9ETqOu7awdR5AJHgvGMRtcM=
=Y5l8
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUkN5+BLndAQH1ShLAQLGsw//Y8SWjjSgV2qDNT7z5liBx9ZhY5D0Z5bU
iNtOHM+MFMqczL0oAqncfTkl2+fe2S0c0k/TmTiTz2mjri0D3Eyxa8LyYX+0ecnV
Vuz3OPW03QEwSn5ds4QAINkXORRJhMxzaZqz7D2ct0/km/Od4whSi6yDn0RlQCH0
GTgRuMzDAdV/eekfNVah6ByISHDzCO8GGXSkv+OY//UZLURh5ah/1EFkUT2TY/BT
ez09KMmiyfUhDtvEzrTd5/RZvb6gKDoytyl2TbsSQSbN7G4IFihhd6cLgqFymVBp
EUZt+IrKn3VzDRniTY61kCQH5ZGK+sLKtuQJIe67H6jLR5aHTJte2hVJqm0XD0IK
zjhkI4cElmpd4AUEt97HdIfiwKPpK+4amQ5xIhzTQpANWXrhKPB0tDPqvta3Nkmj
Jqlk8QVKlJ6ZIMGpj9W7TuZfpwJgGol38b/H+oib/eG0BQhR2xHfN52Q1cUZoI/S
UAohg1IDLsYqo/Cs5F4zd3bR+3iVhiydxT8j32n6IbcFYka6UFHw6lJaBz7ppDTv
1+TMejeXlgcEjPTkE6FKGPD9tKdVncS/ahHXnhrwvkIz9KsFC9o4vRF4v0XBlagm
vBA8eNB5jXYH2l8HCzyCqnGToC1jEYlLUgxYZartFHmem3N2q5aZKB3Oou1OGRPY
QjWnTQ4WB/Y=
=ujnK
-----END PGP SIGNATURE-----