Red Hat Security Advisory 2014-0113-01 - The openstack-keystone packages provide keystone, a Python implementation of the OpenStack Identity service API, which provides Identity, Token, Catalog, and Policy services. A flaw was discovered in the way the LDAP backend in keystone handled the removal of a role. A user could unintentionally be granted a role if the role being removed had not been previously granted to that user. Note that only OpenStack Identity setups using an LDAP backend were affected. All openstack-keystone users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
4ed18adab99d93bc8ef3094e04168b8b3fbc0330b8728fb4595ecc73eb7dca15
Ubuntu Security Notice 2034-1 - Brant Knudson discovered a logic error in the LDAP backend in Keystone where removing a role on a tenant for a user who does not have that role would instead add the role to the user. An authenticated user could use this to gain privileges. Ubuntu is not configured to use the LDAP Keystone backend by default.
ef9b36d31a347025ca7888b49d3b6bf656af60651b29c0135174ed51b7115535