SUSE-SU-2013:0488-1: moderate: Security update for openstack-keystone

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Mar 19 16:04:33 MDT 2013


   SUSE Security Update: Security update for openstack-keystone
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:0488-1
Rating:             moderate
References:         #803351 #803739 
Affected Products:
                    SUSE Cloud 1.0
______________________________________________________________________________

   An update that contains security fixes can now be installed.

Description:


   Openstack Keystone has been updated to fix various bugs and
   security  issues.

   The following security issues have been fixed:

   *

   CVE-2013-0282: EC2-style authentication accepts
   disabled user/tenants.

   *

   CVE-2013-0280: Jonathan Murray from NCC Group, Joshua
   Harlow from Yahoo! and Stuart Stent independently reported
   a vulnerability in the parsing of XML requests in Keystone,
   Nova and Cinder. By using entities in XML requests, an
   unauthenticated attacker may consume excessive resources on
   the Keystone, Nova or Cinder API servers, resulting in a
   denial of service and potentially a crash. Authenticated
   attackers may also leverage XML entities to read the
   content of a local file on the Keystone API server. This
   only affects servers with XML support enabled.


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Cloud 1.0:

      zypper in -t patch sleclo10sp2-openstack-keystone-7494

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Cloud 1.0 (x86_64):

      openstack-keystone-2012.1+git.1353613280.c17a999-0.9.1
      openstack-keystone-doc-2012.1+git.1353613280.c17a999-0.9.1
      python-keystone-2012.1+git.1353613280.c17a999-0.9.1


References:

   https://bugzilla.novell.com/803351
   https://bugzilla.novell.com/803739
   http://download.novell.com/patch/finder/?keywords=fc8cc45f60ac6f0e29e07fe6db3c82cd



More information about the sle-security-updates mailing list