[OSSA 2013-005] EC2 authentication does not ensure user or tenant is enabled
Bug #1121494 reported by
Nathanael Burton
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Dolph Mathews | ||
Essex |
Fix Released
|
High
|
Unassigned | ||
Folsom |
Fix Released
|
High
|
Dolph Mathews | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Thierry Carrez |
Bug Description
Keystone does not check whether a user, tenant, or domain is enabled before authenticating a user using the EC2 api. I've attached three patches based on Grizzly (master), stable/folsom, and stable/essex. For the Grizzly patch, I've refactored the code to ensure the same checks used in token-based auth are checked when using EC2 signature-based auth.
CVE References
Changed in keystone: | |
status: | Confirmed → Triaged |
information type: | Private Security → Public Security |
Changed in keystone: | |
milestone: | none → grizzly-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | grizzly-3 → 2013.1 |
tags: | removed: essex-backport-potential folsom-backport-potential |
Changed in ossa: | |
assignee: | nobody → Thierry Carrez (ttx) |
status: | New → Fix Released |
summary: |
- EC2 authentication does not ensure user or tenant is enabled + [OSSA 2013-005] EC2 authentication does not ensure user or tenant is + enabled |
To post a comment you must log in.
Awesome !
Adding Keystone core for patch review.