Candidate: CVE-2014-0105
PublicDate: 2014-04-15 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0105
Description:
 The auth_token middleware in the OpenStack Python client library for
 Keystone (aka python-keystoneclient) before 0.7.0 does not properly
 retrieve user tokens from memcache, which allows remote authenticated users
 to gain privileges in opportunistic circumstances via a large number of
 requests, related to an "interaction between eventlet and
 python-memcached."
Ubuntu-Description:
Notes:
 jdstrand> According to upstream, this is difficult to reliably attack since it
  is dependent on server interactions
 jdstrand> code present in keystone in Essex and Folsom, python-keystoneclient
  in Grizzly and higher
Bugs:
 https://bugs.launchpad.net/python-keystoneclient/+bug/1282865
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742898
Priority: low
Discovered-by: Kieran Spear
Assigned-to:
CVSS: 

Patches_python-keystoneclient:
 other: https://launchpadlibrarian.net/171062600/bug-1282865-0.2.5-backport.diff
 upstream: https://review.openstack.org/81078 (trunk)
upstream_python-keystoneclient: released (1:0.6.0-4)
lucid_python-keystoneclient: DNE
precise_python-keystoneclient: not-affected (code-not-present)
precise/esm_python-keystoneclient: DNE (precise was not-affected [code-not-present])
quantal_python-keystoneclient: not-affected (code-not-present)
saucy_python-keystoneclient: ignored (reached end-of-life)
trusty_python-keystoneclient: not-affected (1:0.7.1-ubuntu1)
trusty/esm_python-keystoneclient: DNE (trusty was not-affected [1:0.7.1-ubuntu1])
utopic_python-keystoneclient: not-affected (1:0.7.1-ubuntu1)
vivid_python-keystoneclient: not-affected (1:0.7.1-ubuntu1)
vivid/stable-phone-overlay_python-keystoneclient: DNE
vivid/ubuntu-core_python-keystoneclient: DNE
wily_python-keystoneclient: not-affected (1:0.7.1-ubuntu1)
xenial_python-keystoneclient: not-affected (1:0.7.1-ubuntu1)
esm-infra/xenial_python-keystoneclient: not-affected (1:0.7.1-ubuntu1)
yakkety_python-keystoneclient: not-affected (1:0.7.1-ubuntu1)
zesty_python-keystoneclient: not-affected (1:0.7.1-ubuntu1)
devel_python-keystoneclient: not-affected (1:0.7.1-ubuntu1)

Patches_keystone:
upstream_keystone: released (2013.1.1-2)
lucid_keystone: DNE
precise_keystone: ignored (reached end-of-life)
precise/esm_keystone: DNE (precise was needed)
quantal_keystone: ignored (reached end-of-life)
saucy_keystone: not-affected (1:2013.2.3-0ubuntu1)
trusty_keystone: not-affected (1:2014.1-0ubuntu1)
trusty/esm_keystone: DNE (trusty was not-affected [1:2014.1-0ubuntu1])
utopic_keystone: not-affected (1:2014.1-0ubuntu1)
vivid_keystone: not-affected (1:2014.1-0ubuntu1)
vivid/stable-phone-overlay_keystone: DNE
vivid/ubuntu-core_keystone: DNE
wily_keystone: not-affected (1:2014.1-0ubuntu1)
xenial_keystone: not-affected (1:2014.1-0ubuntu1)
esm-infra/xenial_keystone: not-affected (1:2014.1-0ubuntu1)
yakkety_keystone: not-affected (1:2014.1-0ubuntu1)
zesty_keystone: not-affected (1:2014.1-0ubuntu1)
devel_keystone: not-affected (1:2014.1-0ubuntu1)