[Openstack-devel] Bug#722505: Bug#722505: keystone: CVE-CVE-2013-4294: Token revocation failure using Keystone memcache/KVS backends
Salvatore Bonaccorso
carnil at debian.org
Thu Sep 12 07:04:59 UTC 2013
Hi Thomas,
On Thu, Sep 12, 2013 at 02:35:18PM +0800, Thomas Goirand wrote:
> On 09/12/2013 04:40 AM, Salvatore Bonaccorso wrote:
> > Package: keystone
> > Version: 2013.1.3-1
> > Severity: important
> > Tags: security patch upstream
> >
> > Hi,
> >
> > the following vulnerability was published for keystone.
> >
> > CVE-2013-4294[0]:
> > Token revocation failure using Keystone memcache/KVS backends
> >
> > See furthermore [1] for upstream announce.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4294
> > http://security-tracker.debian.org/tracker/CVE-2013-4294
> > [1] http://lists.openstack.org/pipermail/openstack-announce/2013-September/000142.html
> >
> > Regards,
> > Salvatore
>
> Hi Salvatore.
>
> Please note that this only affects Keystone in Sid/Jessie, since it
> deals with PKI tokens, which is a feature added after the version in
> Wheezy. Please update the tracker accordingly.
Yes indeed. I have marked wheezy not-affected in the tracker already
yesterday after checking that. Thanks for confirming that this is
true.
Regards,
Salvatore
More information about the Openstack-devel
mailing list