Bugzilla – Bug 892097
VUL-0: CVE-2014-5251: openstack-keystone: revocation events are broken with mysql
Last modified: 2014-09-26 23:48:23 UTC
mysql only stores timestamps with an accuracy of seconds rather than microseconds, doing comparisons of token expiration times will fail and tokens will not show up as being revoked. Upstream fix: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7aee6304f653475a4130dc3e5be602e91481f108 References: https://bugzilla.redhat.com/show_bug.cgi?id=1127259 https://bugs.launchpad.net/keystone/+bug/1347961 http://seclists.org/oss-sec/2014/q3/296
bugbot adjusting priority
CVE-2014-5251 was assigned to this issue.
Note that this seems to be a mysql-specific issue (although I'm not sure that people checked postgresql is not affected); so we might not be affected.
I checked http://www.postgresql.org/docs/9.1/static/datatype-datetime.html and it says, timestamp resolution 1 microsecond / 14 digits so SUSE Cloud is not affected. Only openSUSE could use updates. Icehouse already got a backport and the patch does not apply to Havana.
Actually, there is no Icehouse in openSUSE either and our OBS project already has the fix.
SUSE-SU-2014:1219-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 892095,892097,892099 CVE References: CVE-2014-5251,CVE-2014-5252,CVE-2014-5253 Sources used: SUSE Cloud 4 (src): openstack-keystone-2014.1.3.dev3.gb812131-0.7.1, openstack-keystone-doc-2014.1.3.dev3.gb812131-0.7.1