Ubuntu Security Notice 1875-1 - Eoghan Glynn and Alex Meade discovered that Keystone did not properly perform expiry checks for the PKI tokens used in Keystone. If Keystone were setup to use PKI tokens, a previously authenticated user could continue to use a PKI token for longer than intended. This issue only affected Ubuntu 12.10 which does not use PKI tokens by default. Jose Castro Leon discovered that Keystone did not properly authenticate users when using the LDAP backend. An attacker could obtain valid tokens and impersonate other users by supplying an empty password. By default, Ubuntu does not use the LDAP backend. Various other issues were also addressed.
1cb5daa1d046cc30e236c0c00c00ef32e4a05f8cd353fce3c781247855fb7f22
Red Hat Security Advisory 2013-0944-01 - Python-keystoneclient is the client library and command line utility for interacting with the OpenStack identity API. A flaw in Keystone allowed an attacker with access to the web and network interfaces of services utilizing python-keystoneclient to continue using PKI tokens that had expired. This would allow the attacker to continue using the PKI tokens despite the PKI tokens being expired, giving them continued access to OpenStack services. This issue was discovered by Eoghan Glynn of Red Hat.
6a10372c8aecfb3cc13a430908942c01b308ed0bef169925ff80a306f8a72dbc
Ubuntu Security Notice 1851-1 - Eoghan Glynn and Alex Meade discovered that python-keystoneclient did not properly perform expiry checks for the PKI tokens used in Keystone. If Keystone were setup to use PKI tokens (the default in Ubuntu 13.04), a previously authenticated user could continue to use a PKI token for longer than intended.
0f9a2d7368666d25c099d33542339b7ff0b9e7c2fab2ff32bb4badd3cce05a09