Thomas Goirand wrote: > Hi Thierry and Dan, > > I got very confused about CVE-2013-0247 and CVE-2013-0270. > > I have already uploaded the fix for CVE-2013-0247 in Debian SID, and now > I'm trying to understand what CVE-2013-0270 is about. My request about > it in the Openstack development list was left without an answer, so I'm > asking you directly, with Cc: to the already opened Debian bug.
Sorry for the delay in answering, I'm travelling right now so it's a bit difficult to make the research. I have no idea what CVE-2013-0270 is. So it might indeed be a duplicate of CVE-2013-0247, which is the one we issued OSSA-2013-003 for. > The problem is that the patches I've read for CVE-2013-0270 for Essex > seem to do the exact same thing as the patches for CVE-2013-0247 (in a > slightly different way), and of course, both patches are conflicting. > > So, could you please confirm what my guts are telling me, which is that > this patch: > http://anonscm.debian.org/gitweb/?p=openstack/keystone.git;a=commitdiff;h=b6fe7d8c7719996b3b5a8765dee55bb0eb2944df > > which fixes CVE-2013-0247 also fixes CVE-2013-0270 which must be a > duplicate of CVE-2013-0247. If this isn't the case, please tell me > what's going on, and what you think I should do to fix Keystone in > Debian Wheezy. I can apply things "by hand" if needed... I think you are right. I suspect CVE-2013-0270 was assigned after we released our advisory which was about -0247. Cheers, -- Thierry Carrez (ttx) Release Manager, OpenStack -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
