← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1056373] Re: memcache driver needs protection against unicode user keys

 

This bug was fixed in the package keystone - 2012.1.3+stable-20130423
-f48dd0fc-0ubuntu1

---------------
keystone (2012.1.3+stable-20130423-f48dd0fc-0ubuntu1) precise-proposed; urgency=low

  * Resynchronize with stable/essex (LP: #1089488):
    - [7402f5e] EC2 authentication does not ensure user or tenant is enabled
      LP: 1121494
    - [8945567] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
    - [7b5b72f] Add size validations for /tokens.
    - [ef1e682] docutils 0.10 incompatible with sphinx 1.1.3 LP: 1091333
    - [8735009] Removing user from a tenant isn't invalidating user access to
      tenant (LP: #1064914)
    - [025b1d5] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [ddb4019] Open 2012.1.4 development
    - [0e1f05e] memcache driver needs protection against unicode user keys
      (LP: #1056373)
    - [176ee9b] Token invalidation in case of role grant/revoke should be
      limited to affected tenant (LP: #1050025)
    - [58ac669] Token validation includes revoked roles (CVE-2012-4413)
      (LP: #1041396)
    - [cd1e48a] Memcached Token Backend does not support list tokens
      (LP: #1046905)
    - [5438d3b] Update user's default tenant partially succeeds without authz
      (LP: #1040626)
  * Dropped patches, superseeded by new snapshot:
    - debian/patches/CVE-2013-0282.patch [7402f5e]
    - debian/patches/CVE-2013-1664+1665.patch [8945567]
    - debian/patches/keystone-CVE-2012-5571.patch [8735009]
    - debian/patches/keystone-CVE-2012-4413.patch [58ac669]
    - debian/patches/keystone-CVE-2012-3542.patch [5438d3b]
  * Refreshed patches:
    - debian/patches/CVE-2013-0247.patch
    - debian/patches/fix-ubuntu-tests.patch
 -- Yolanda <yolanda.robla@xxxxxxxxxxxxx>   Tue, 23 Apr 2013 10:30:16 +0200

** Changed in: keystone (Ubuntu Precise)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3542

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-4413

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-5571

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0247

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0282

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1664

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1056373

Title:
  memcache driver needs protection against unicode user keys

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Released
Status in “keystone” package in Ubuntu:
  Fix Released
Status in “keystone” source package in Precise:
  Fix Released

Bug description:
  Based on feedback from bug 1046905:
  https://bugs.launchpad.net/keystone/+bug/1046905/comments/5

  Specifically, if you try to read/write to memcache using a unicode
  key, you get a memcache.MemcachedStringEncodingError. This specific
  scenarios is described in the above comment:

      >>> import memcache
      >>> import uuid
      >>> memcache.Client(['localhost:11211']).get('usertokens-%s' % unicode(uuid.uuid4().hex))
      Traceback (most recent call last):
        File "<stdin>", line 1, in <module>
        File "/home/dolph/Environments/os/local/lib/python2.7/site-packages/memcache.py", line 862, in get
          return self._get('get', key)
        File "/home/dolph/Environments/os/local/lib/python2.7/site-packages/memcache.py", line 813, in _get
          self.check_key(key)
        File "/home/dolph/Environments/os/local/lib/python2.7/site-packages/memcache.py", line 1014, in check_key
          "Keys must be str()'s, not unicode.  Convert your unicode "
      memcache.MemcachedStringEncodingError: Keys must be str()'s, not unicode.  Convert your unicode strings using mystring.encode(charset)!

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1056373/+subscriptions