yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #02420
[Bug 1056373] Re: memcache driver needs protection against unicode user keys
This bug was fixed in the package keystone - 2012.1.3+stable-20130423
-f48dd0fc-0ubuntu1
---------------
keystone (2012.1.3+stable-20130423-f48dd0fc-0ubuntu1) precise-proposed; urgency=low
* Resynchronize with stable/essex (LP: #1089488):
- [7402f5e] EC2 authentication does not ensure user or tenant is enabled
LP: 1121494
- [8945567] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
- [7b5b72f] Add size validations for /tokens.
- [ef1e682] docutils 0.10 incompatible with sphinx 1.1.3 LP: 1091333
- [8735009] Removing user from a tenant isn't invalidating user access to
tenant (LP: #1064914)
- [025b1d5] Jenkins jobs fail because of incompatibility between sqlalchemy-
migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
- [ddb4019] Open 2012.1.4 development
- [0e1f05e] memcache driver needs protection against unicode user keys
(LP: #1056373)
- [176ee9b] Token invalidation in case of role grant/revoke should be
limited to affected tenant (LP: #1050025)
- [58ac669] Token validation includes revoked roles (CVE-2012-4413)
(LP: #1041396)
- [cd1e48a] Memcached Token Backend does not support list tokens
(LP: #1046905)
- [5438d3b] Update user's default tenant partially succeeds without authz
(LP: #1040626)
* Dropped patches, superseeded by new snapshot:
- debian/patches/CVE-2013-0282.patch [7402f5e]
- debian/patches/CVE-2013-1664+1665.patch [8945567]
- debian/patches/keystone-CVE-2012-5571.patch [8735009]
- debian/patches/keystone-CVE-2012-4413.patch [58ac669]
- debian/patches/keystone-CVE-2012-3542.patch [5438d3b]
* Refreshed patches:
- debian/patches/CVE-2013-0247.patch
- debian/patches/fix-ubuntu-tests.patch
-- Yolanda <yolanda.robla@xxxxxxxxxxxxx> Tue, 23 Apr 2013 10:30:16 +0200
** Changed in: keystone (Ubuntu Precise)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3542
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-4413
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-5571
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0247
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0282
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1664
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1056373
Title:
memcache driver needs protection against unicode user keys
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone essex series:
Fix Released
Status in “keystone” package in Ubuntu:
Fix Released
Status in “keystone” source package in Precise:
Fix Released
Bug description:
Based on feedback from bug 1046905:
https://bugs.launchpad.net/keystone/+bug/1046905/comments/5
Specifically, if you try to read/write to memcache using a unicode
key, you get a memcache.MemcachedStringEncodingError. This specific
scenarios is described in the above comment:
>>> import memcache
>>> import uuid
>>> memcache.Client(['localhost:11211']).get('usertokens-%s' % unicode(uuid.uuid4().hex))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/dolph/Environments/os/local/lib/python2.7/site-packages/memcache.py", line 862, in get
return self._get('get', key)
File "/home/dolph/Environments/os/local/lib/python2.7/site-packages/memcache.py", line 813, in _get
self.check_key(key)
File "/home/dolph/Environments/os/local/lib/python2.7/site-packages/memcache.py", line 1014, in check_key
"Keys must be str()'s, not unicode. Convert your unicode "
memcache.MemcachedStringEncodingError: Keys must be str()'s, not unicode. Convert your unicode strings using mystring.encode(charset)!
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1056373/+subscriptions
