Comment 3 for bug 1175367
Revision history for this message
| Thierry Carrez (ttx) wrote Re: Memcache encryption middleware improperly implemented | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
I think it makes sense to fix both issues you reported in embargo mode, even if their exploitation is a bit unlikely... after all, those features were added to mitigate a risk, and they don't really mitigate it.
Here is my attempt to summarize impact (for both)
Title: Issues in Keystone middleware memcache signing/encryption feature
Reporter: Paul McMillan (Nebula)
Products: python-
Affects: [? any idea when in client history that was introduced]
Description:
Paul McMillan from Nebula reported multiple issues in the implementation of memcache signing/encryption feature in Keystone client middleware. An attacker with direct write access to the memcache backend could insert malicious data and potentially bypass the signing/encryption security strategy that was specified. Only setups that make use of memcache caching in the Keystone middleware (specify memcache_servers) and using ENCRYPT or MAC as their memcache_