Bugzilla – Bug 876902
VUL-0: CVE-2014-0204: openstack-keystone: Inproper role assignments to users
Last modified: 2016-04-27 19:29:32 UTC
Created attachment 589197 [details] Patch for CVE-2014-0204 Via distros (Message-ID: <536B961B.2030009@enovance.com>) EMBARGOED: yes (2014-05-20, 1500UTC) Michael Stancampiano from IBM reported a vulnerability in Keystone. Someone with write access to the user and group repository (such as the LDAP directory server) may willingly or unwillingly grant additional rights by picking the same IDs for users and groups, resulting in roles assigned to a group being assigned to the affected user even if he is not a member of this group. Only Keystone setups using LDAP for the Identity driver are affected. Versions affected: 2014.1 There could be other versions affected, the post isn't absolutely clear about that.
bugbot adjusting priority
is public https://bugs.launchpad.net/keystone/+bug/1309228 https://review.openstack.org/#q,Ia6f1ae2e3af1e968f1a393bd4f2f38812a88a5d0,n,z
So this probably affects openSUSE:Factory and Cloud4. I suggest that we release this with the next Cloud update
Affected packages: SLE-11-SP3-CLOUD4: openstack-keystone
The fix was part of Cloud 4 GM.