Red Hat Product Errata RHSA-2015:1685 - Security Advisory

Issued:: 2015-08-25
Updated:: 2015-08-25

RHSA-2015:1685 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: python-keystoneclient security update

Type/Severity

Security Advisory: Moderate

Topic

Updated python-keystoneclient packages that fix one security issue are
now available for Red Hat Enterprise Linux OpenStack Platform 5.0.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

Python-keystoneclient is a client library and a command-line utility
for interacting with the OpenStack Identity API.

It was discovered that some items in the S3Token configuration as used by
python-keystoneclient were incorrectly evaluated as strings, an issue
similar to CVE-2014-7144. If the "insecure" option was set to "false", the
option would be evaluated as true, resulting in TLS connections being
vulnerable to man-in-the-middle attacks. Note: The "insecure" option
defaults to false, so setups that do not specifically define
"insecure=false" are not affected. (CVE-2015-1852)

Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Brant Knudson from IBM as the original reporter.

All python-keystoneclient users are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 5.0 for RHEL 7 x86_64
Red Hat OpenStack 5.0 for RHEL 6 x86_64

Fixes

BZ - 1209527 - CVE-2015-1852 OpenStack keystonemiddleware/keystoneclient: S3Token TLS cert verification option not honored

CVEs

CVE-2015-1852

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 5.0 for RHEL 7

SRPM
x86_64
python-keystoneclient-0.9.0-6.el7ost.noarch.rpm	SHA-256: 284fa46dfb68361cb13ec70a081d51c7aacabd1d55ee42ac6603636894c4211f
python-keystoneclient-doc-0.9.0-6.el7ost.noarch.rpm	SHA-256: b5156e515f85a4ec46a3e3e073607adb897ee4b76fcec33771d97ee85df0ab6e

Red Hat OpenStack 5.0 for RHEL 6

SRPM
python-keystoneclient-0.9.0-6.el6ost.src.rpm	SHA-256: 9c181f70c0247f4b6ca8d6642a9bb26a98389c31db5241e97fd4ba6b6eedd781
x86_64
python-keystoneclient-0.9.0-6.el6ost.noarch.rpm	SHA-256: a67df065ea298c5d2b43f958c88d04fcfc5836523e70cf21ff77d36a9b80993e
python-keystoneclient-doc-0.9.0-6.el6ost.noarch.rpm	SHA-256: 2e43fb893c96a74e53b15f83e1b7ba6c54c44db71af882108074dd35ff07d5a6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories