—

PYSEC-2013-41

Details

OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / keystone

Introduced in: 0 Fixed in: 8.0.0a0

Fix pip install --upgrade 'keystone>=8.0.0a0'

References

https://bugs.launchpad.net/keystone/+bug/1166670 [EVIDENCE]
http://osvdb.org/93134 [WEB]
http://secunia.com/advisories/53326 [ADVISORY]
http://secunia.com/advisories/53339 [ADVISORY]
http://www.openwall.com/lists/oss-security/2013/05/09/3 [WEB]
http://www.securityfocus.com/bid/59787 [WEB]
http://www.openwall.com/lists/oss-security/2013/05/09/4 [WEB]
http://lists.opensuse.org/opensuse-updates/2013-06/msg00085.html [WEB]
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106220.html [WEB]
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105916.html [WEB]
https://exchange.xforce.ibmcloud.com/vulnerabilities/84135 [WEB]