Bugzilla – Bug 892095
VUL-0: CVE-2014-5252: openstack-keystone: token expiration date stored incorrectly
Last modified: 2014-10-06 08:53:39 UTC
In Keystone V2 token support, by creating a token using the V2 API, a user may evade token revocation. When the token is processed by the V3 API, its "issued_at" time is wrongly updated and then the service will fail to revoke it. Only Keystone setups configured to use revocation events and UUID tokens are affected. Commit that fixes this issue: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a4c73e4382cb062aa9f30fe1960d5014d3c49cc2 References: https://bugzilla.redhat.com/show_bug.cgi?id=1127250 https://bugs.launchpad.net/keystone/+bug/1348820 http://seclists.org/oss-sec/2014/q3/375
bugbot adjusting priority
CVE-2014-5252 was assigned to this issue.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-09-03. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58665
Affected packages: SLE-11-SP3-CLOUD4: openstack-keystone
SUSE-SU-2014:1219-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 892095,892097,892099 CVE References: CVE-2014-5251,CVE-2014-5252,CVE-2014-5253 Sources used: SUSE Cloud 4 (src): openstack-keystone-2014.1.3.dev3.gb812131-0.7.1, openstack-keystone-doc-2014.1.3.dev3.gb812131-0.7.1
update is out -> fixed