Security update for openstack-keystone
An update that contains security fixes can now be installed.
Openstack Keystone has been updated to fix various bugs and
The following security issues have been fixed:
CVE-2013-0282: EC2-style authentication accepts
CVE-2013-0280: Jonathan Murray from NCC Group, Joshua
Harlow from Yahoo! and Stuart Stent independently reported
a vulnerability in the parsing of XML requests in Keystone,
Nova and Cinder. By using entities in XML requests, an
unauthenticated attacker may consume excessive resources on
the Keystone, Nova or Cinder API servers, resulting in a
denial of service and potentially a crash. Authenticated
attackers may also leverage XML entities to read the
content of a local file on the Keystone API server. This
only affects servers with XML support enabled.
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Cloud 1.0:
zypper in -t patch sleclo10sp2-openstack-keystone-7494
To bring your system up-to-date, use "zypper patch".
- SUSE Cloud 1.0 (x86_64):