CVE 2012-5563
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.
Related bugs and status
CVE-2012-5563 (Candidate) is related to these bugs:
Bug #1060389: Non PKI Tokens longer than 32 characters can never be valid
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1060389 | Non PKI Tokens longer than 32 characters can never be valid | OpenStack Identity (keystone) | High | Fix Released | ||
1060389 | Non PKI Tokens longer than 32 characters can never be valid | OpenStack Identity (keystone) folsom | High | Fix Released | ||
1060389 | Non PKI Tokens longer than 32 characters can never be valid | keystone (Ubuntu) | Undecided | Fix Released | ||
1060389 | Non PKI Tokens longer than 32 characters can never be valid | keystone (Ubuntu Quantal) | Undecided | Fix Released |
Bug #1068674: Redo part of bp/sql-identiy-pam undone by bug 968519
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1068674 | Redo part of bp/sql-identiy-pam undone by bug 968519 | OpenStack Identity (keystone) | Undecided | Fix Released | ||
1068674 | Redo part of bp/sql-identiy-pam undone by bug 968519 | OpenStack Identity (keystone) folsom | Medium | Fix Released | ||
1068674 | Redo part of bp/sql-identiy-pam undone by bug 968519 | keystone (Ubuntu) | Undecided | Fix Released | ||
1068674 | Redo part of bp/sql-identiy-pam undone by bug 968519 | keystone (Ubuntu Quantal) | Undecided | Fix Released |
Bug #1068851: Openssl tests rely on expired certificate
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1068851 | Openssl tests rely on expired certificate | OpenStack Identity (keystone) | High | Fix Released | ||
1068851 | Openssl tests rely on expired certificate | OpenStack Identity (keystone) folsom | High | Fix Released | ||
1068851 | Openssl tests rely on expired certificate | keystone (Ubuntu) | Undecided | Fix Released | ||
1068851 | Openssl tests rely on expired certificate | keystone (Ubuntu Quantal) | Undecided | Fix Released |
Bug #1073569: Jenkins jobs fail because of incompatibility between sqlalchemy-migrate and the newest sqlalchemy-0.8.0b1
Bug #1078497: keystone throws error when removing user from tenant.
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1078497 | keystone throws error when removing user from tenant. | OpenStack Identity (keystone) | Critical | Fix Released | ||
1078497 | keystone throws error when removing user from tenant. | OpenStack Identity (keystone) folsom | Critical | Fix Released | ||
1078497 | keystone throws error when removing user from tenant. | keystone (Ubuntu) | Undecided | Fix Released | ||
1078497 | keystone throws error when removing user from tenant. | keystone (Ubuntu Quantal) | Undecided | Fix Released |
Bug #1079216: [OSSA-2012-019] token expires time incorrect for auth by one token
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1079216 | [OSSA-2012-019] token expires time incorrect for auth by one token | OpenStack Identity (keystone) | High | Fix Released | ||
1079216 | [OSSA-2012-019] token expires time incorrect for auth by one token | OpenStack Identity (keystone) folsom | High | Fix Released | ||
1079216 | [OSSA-2012-019] token expires time incorrect for auth by one token | keystone (Ubuntu) | Undecided | Fix Released | ||
1079216 | [OSSA-2012-019] token expires time incorrect for auth by one token | keystone (Ubuntu Quantal) | Undecided | Fix Released | ||
1079216 | [OSSA-2012-019] token expires time incorrect for auth by one token | OpenStack Security Advisory | Undecided | Fix Released |
Bug #1085255: Meta bug for tracking Openstack 2012.2.1 Stable Update
See the
CVE page on Mitre.org
for more details.