Hi Thomas, (only replying for the version information, haven't looked at the actual issues):
On Thu, Sep 25, 2014 at 03:28:41PM +0800, Thomas Goirand wrote: > On 09/25/2014 05:34 AM, Luciano Bello wrote: > > Package: python-keystoneclient > > Severity: important > > Tags: security upstream patch fixed-upstream > > > > Hi there, > > the following vulnerabilities were published for python-keystoneclient: > > > > CVE-2014-7144: TLS cert verification option not honored in paste configs > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > http://seclists.org/oss-sec/2014/q3/620 > > https://review.openstack.org/#/c/113191/ > > > > Please adjust the affected versions in the BTS as needed. Can you please > > confirm > > to the security-team if the stable version is affected? > > > > Regards, luciano > > Hi Luciano, > > You've send twice the same bug report, using the same CVE, but for both > keystonemiddleware and keystoneclient. Is this intentional? > > CVE-2014-7144 is about keystonemiddleware. Stable isn't affected (it > doesn't contain keystonemiddleware). Though if there's another CVE which > I'm not (yet) aware of on keystoneclient, then this would have to be > checked. This is accordign to the upstream advisory at http://www.openwall.com/lists/oss-security/2014/09/17/3 Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1 (python-keystoneclient) Does this holds also for python-keystoneclient in Debian? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
