[Openstack-devel] Bug#713819: python-keystoneclient: CVE-2013-2166 CVE-2013-2167: Issues in Keystone middleware memcache signing/encryption feature

Salvatore Bonaccorso carnil at debian.org
Sat Jun 22 20:52:26 UTC 2013


Package: python-keystoneclient
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerabilities were published for python-keystoneclient.

CVE-2013-2166[0]:
middleware memcache encryption bypass

CVE-2013-2167[1]:
middleware memcache signing bypass

See [2] for further reference.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2166
    http://security-tracker.debian.org/tracker/CVE-2013-2166
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2167
    http://security-tracker.debian.org/tracker/CVE-2013-2167
[2] http://marc.info/?l=oss-security&m=137165644225629&w=2 

According to the advisory it should affect only upstream 0.2.3 to 0.2.5.
Could you please doublecheck this and adjust found version for the BTS?

Regards,
Salvatore 



More information about the Openstack-devel mailing list