Bug#686265: marked as done (CVE-2012-3542: Fixes lack of authorization for adding users to tenants)

Debian Bug Tracking System Thu, 30 Aug 2012 11:51:24 -0700

Your message dated Thu, 30 Aug 2012 18:47:45 +0000
with message-id <e1t79ml-0005af...@franck.debian.org>
and subject line Bug#686265: fixed in keystone 2012.1.1-5
has caused the Debian Bug report #686265,
regarding CVE-2012-3542: Fixes lack of authorization for adding users to tenants
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
686265: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686265
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: keystone
Version: 2012.1.1-4
Severity: grave

As per the embargoed email I received:

Title: Lack of authorization for adding users to tenants
Impact: Critical
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom

Dolph Mathews reported a vulnerability in Keystone. When attempting to
update a user's default tenant, Keystone will only partially deny the
request when a user is not authorized to complete this action. The API
responds with 401 Not Authorized and the user's default tenant is not
changed. However, the user is still granted membership to this new
tenant. The result is that any client that can reach the
administrative API (deployed on port 35357, by default) can add any
user to any tenant.

Cheers,

Thomas Goirand (zigo)

--- End Message ---

--- Begin Message ---

Source: keystone
Source-Version: 2012.1.1-5

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 686...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 27 Aug 2012 11:45:44 +0000
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2012.1.1-5
Distribution: unstable
Urgency: low
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description: 
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python-keystone - OpenStack identity service - library
Closes: 685671 686265
Changes: 
 keystone (2012.1.1-5) unstable; urgency=low
 .
   * CVE-2012-3542: Fixes lack of authorization for adding users to tenants
   (Closes: #686265)
   * Added Chinese debconf translation thanks to ben <duyujie....@gmail.com>.
   * Really adds the nl debconf translation this time (Closes: #685671).
Checksums-Sha1: 
 acd66830306bfde89a17a672729bb5355653a968 1898 keystone_2012.1.1-5.dsc
 6e096760768cde16f57ec030ab7f33f03c23b7d4 19977 
keystone_2012.1.1-5.debian.tar.gz
 898432deca35e18b223753bb0f1194ab3483a9f0 91988 
python-keystone_2012.1.1-5_all.deb
 f4ce6a438f6c4ac09da2adbd19227ee8c1f6965d 16098 keystone_2012.1.1-5_all.deb
 23edad23c3bd6d963f1a4d82e3606dbaa8721394 238288 keystone-doc_2012.1.1-5_all.deb
Checksums-Sha256: 
 66cb2e3a9c4e199f7cabb427c638f2b45258f8730da6b16d66ab5df7850beb60 1898 
keystone_2012.1.1-5.dsc
 813c4bf322e722759851301ee4c5944d655ef36bd5c48ce039e34d0cf5c0cd48 19977 
keystone_2012.1.1-5.debian.tar.gz
 f00fd51b56224406f1fdf8f76e7948ae67dcaa22059d98169d9adbbeeadb43d4 91988 
python-keystone_2012.1.1-5_all.deb
 c0dffb0de88c28d6c66d8fb965118f62a43ed385aeded67078320ce682b3c19b 16098 
keystone_2012.1.1-5_all.deb
 ac5f7dd7931277d7d5d194fe78b7ad42c690b46de57f2ee4b1fc07ca8e575b2c 238288 
keystone-doc_2012.1.1-5_all.deb
Files: 
 32658d6964cbac40972cd378e6114ae6 1898 net extra keystone_2012.1.1-5.dsc
 2646aa9ba8ab4652c2feb96700021bd1 19977 net extra 
keystone_2012.1.1-5.debian.tar.gz
 dfc97fb966454b1bb0b2fd837a64ae9e 91988 python extra 
python-keystone_2012.1.1-5_all.deb
 6bb2cff766cf8be8f897a24f96426d4f 16098 python extra keystone_2012.1.1-5_all.deb
 3b1e3383f37fd988d7a2140b9803693c 238288 doc extra 
keystone-doc_2012.1.1-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlA/s00ACgkQl4M9yZjvmknfSACfXNWU90dVY7RDFyUUDMeiSIxd
3p0An33uYwHUe/KIVldT2lou9z3+aK6D
=Tury
-----END PGP SIGNATURE-----

--- End Message ---

Bug#686265: marked as done (CVE-2012-3542: Fixes lack of authorization for adding users to tenants)

Reply via email to