On 09/25/2014 05:05 PM, Salvatore Bonaccorso wrote: > Hi Thomas, > > (only replying for the version information, haven't looked at the actual > issues): > > On Thu, Sep 25, 2014 at 03:28:41PM +0800, Thomas Goirand wrote: >> On 09/25/2014 05:34 AM, Luciano Bello wrote: >>> Package: python-keystoneclient >>> Severity: important >>> Tags: security upstream patch fixed-upstream >>> >>> Hi there, >>> the following vulnerabilities were published for python-keystoneclient: >>> >>> CVE-2014-7144: TLS cert verification option not honored in paste configs >>> >>> If you fix the vulnerabilities please also make sure to include the >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. >>> >>> For further information see: >>> http://seclists.org/oss-sec/2014/q3/620 >>> https://review.openstack.org/#/c/113191/ >>> >>> Please adjust the affected versions in the BTS as needed. Can you please >>> confirm >>> to the security-team if the stable version is affected? >>> >>> Regards, luciano >> >> Hi Luciano, >> >> You've send twice the same bug report, using the same CVE, but for both >> keystonemiddleware and keystoneclient. Is this intentional? >> >> CVE-2014-7144 is about keystonemiddleware. Stable isn't affected (it >> doesn't contain keystonemiddleware). Though if there's another CVE which >> I'm not (yet) aware of on keystoneclient, then this would have to be >> checked. > > This is accordign to the upstream advisory at > http://www.openwall.com/lists/oss-security/2014/09/17/3 > > Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1 > (python-keystoneclient) > > Does this holds also for python-keystoneclient in Debian?
Yes, it seems the version currently in Sid/Jessie and Experimental are affected. I think I'm going to upload version 0.10.1 into Sid, since there's no dependency problem (and python-*client packages are always backward compatible with older API). Then I'll upgrade to a newer version in Experimental (which may be better for the latest release of OpenStack Juno anyway). As for what's in Wheezy, I just had a look. It doesn't seem like it would be affected, because the code is very different, and there's not even a middleware folder there. Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
