python-keystoneclient-3.5.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10471 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python-keystoneclient-3.5.0-1.1 on GA media These are all security issues fixed in the python-keystoneclient-3.5.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10471 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10471 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2014-0105/ SUSE CVE CVE-2014-0105 page https://www.suse.com/security/cve/CVE-2014-7144/ SUSE CVE CVE-2014-7144 page https://www.suse.com/security/cve/CVE-2015-1852/ SUSE CVE CVE-2015-1852 page openSUSE Tumbleweed python-keystoneclient-3.5.0-1.1 python-keystoneclient-doc-3.5.0-1.1 python-keystoneclient-3.5.0-1.1 as a component of openSUSE Tumbleweed python-keystoneclient-doc-3.5.0-1.1 as a component of openSUSE Tumbleweed The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached." CVE-2014-0105 openSUSE Tumbleweed:python-keystoneclient-3.5.0-1.1 openSUSE Tumbleweed:python-keystoneclient-doc-3.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-0105.html CVE-2014-0105 https://bugzilla.suse.com/870102 SUSE Bug 870102 OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate. CVE-2014-7144 openSUSE Tumbleweed:python-keystoneclient-3.5.0-1.1 openSUSE Tumbleweed:python-keystoneclient-doc-3.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-7144.html CVE-2014-7144 https://bugzilla.suse.com/897103 SUSE Bug 897103 https://bugzilla.suse.com/928205 SUSE Bug 928205 The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144. CVE-2015-1852 openSUSE Tumbleweed:python-keystoneclient-3.5.0-1.1 openSUSE Tumbleweed:python-keystoneclient-doc-3.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-1852.html CVE-2015-1852 https://bugzilla.suse.com/928205 SUSE Bug 928205