Hi Thomas Cc'in the Security Team as they might give better input on this.
On Wed, Feb 13, 2013 at 10:14:20PM +0800, Thomas Goirand wrote: > Hi Salvatore, > > This was already fixed before you submitted the bug. See #699835. > > Next time, please check the bug history, because this made me loose > quite some time, thinking that this was a new issue. I have done this as best to my knowledge. I was reporting found/assigned CVE's, but mistakes can happen. E.g. in keystone changelog it's refering to CVE-2013-0247. There are two CVE's so far. This is the information I have available: - CVE-2013-0247: (#699835): Keystone denial of service through invalid token requests Announce: https://lists.launchpad.net/openstack/msg20689.html Upstream patch for Essex: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff;h=7b5b72f4c1d16968435fb2e18c4f47765bd8f098 Upstream patch for Folsom: https://github.com/openstack/keystone/commit/bb2226f944aaa38beb7fc08ce0a78796e51e2680 Launchpad: https://bugs.launchpad.net/keystone/+bug/1098307 AFAICS, so patch for Essex was applied to keystone/2012.1.1-12. - CVE-2013-0270 (#700240): OpenStack Keystone: Large HTTP request DoS Still valid for 2012.2.1? In [1] it is mentioned it introduces new features. Thus for Essex a patch based on the one for #699835 referenced. Strictly speaking for 2012.1.1 the fix for it would introduce new features and thus might not be applicable. Open is still the CVE for keystone in experimental, which might be fixed with [2]. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0270 [2]: https://github.com/openstack/keystone/commit/7691276b869a86c2b75631d5bede9f61e030d9d8 [3]: https://bugs.launchpad.net/keystone/+bug/1099025 >From my understanding: (Please correct me) CVE-2013-0247 and CVE-2013-0270 are two 'different' vulnerabilities. But the fix for CVE-2013-0270 cannot be applied to 2012.1.1 as it introduces new "features", thus Essex can only be fixed with the patch already applied. So closing the bugs for 2012.1.1 as you did looks correct. I added some 'found' marking to the BTS (please see both bugs). Thanks for your work done, Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
