Your message dated Tue, 19 Feb 2013 16:17:32 +0000 with message-id <e1u7psq-0005vx...@franck.debian.org> and subject line Bug#700948: fixed in keystone 2012.1.1-13 has caused the Debian Bug report #700948, regarding CVE-2013-0280: Information leak and Denial of Service using XML entities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700948: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700948 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: keystone Version: 2012.1.1-12 Severity: grave Tags: security Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent independently reported a vulnerability in the parsing of XML requests in Keystone, Nova and Cinder. By using entities in XML requests, an unauthenticated attacker may consume excessive resources on the Keystone, Nova or Cinder API servers, resulting in a denial of service and potentially a crash. Authenticated attackers may also leverage XML entities to read the content of a local file on the Keystone API server. This only affects servers with XML support enabled. Patched package is ready, upload is coming. Thomas Goirand (zigo)
--- End Message ---
--- Begin Message ---Source: keystone Source-Version: 2012.1.1-13 We believe that the bug you reported is fixed in the latest version of keystone, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated keystone package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 19 Feb 2013 12:56:42 +0800 Source: keystone Binary: python-keystone keystone keystone-doc Architecture: source all Version: 2012.1.1-13 Distribution: unstable Urgency: high Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: keystone - OpenStack identity service keystone-doc - OpenStack identity service - documentation python-keystone - OpenStack identity service - library Closes: 700947 700948 Changes: keystone (2012.1.1-13) unstable; urgency=high . * CVE-2013-0282: Ensure EC2 users and tenant are enabled (Closes: #700947). * CVE-2013-0280: Information leak and Denial of Service using XML entities (Closes: #700948). Checksums-Sha1: a72acb4d855b356d6bd6f1a1ffd737e6c32e10ce 1902 keystone_2012.1.1-13.dsc 4f085537b9a6344138c8df4e00ae25e797eb57c4 30496 keystone_2012.1.1-13.debian.tar.gz d3f610d137ec2452308db923ebe3f894b8c65028 93616 python-keystone_2012.1.1-13_all.deb f33f5949c79ccf86d5596b5db7ad8cdceb0cd5bb 18424 keystone_2012.1.1-13_all.deb 16377085b28d849a40e0a29f4bb3aec22b1ff80b 240718 keystone-doc_2012.1.1-13_all.deb Checksums-Sha256: 3c1f5d8352a9057bf66e6a420a7e7c0ae58930a21f43806122503dc0ff9e2345 1902 keystone_2012.1.1-13.dsc 01a1c9740f7ac62464d989e7b96f1becbd1d11d91f517588c5dfad47a6d16243 30496 keystone_2012.1.1-13.debian.tar.gz bd6387a02831a20a60af94132cec26548266ab9bbfa9b88bfdf94bdbbf09b843 93616 python-keystone_2012.1.1-13_all.deb 2d0ec64df0487b6fadcd31671e2a366ff02b2d7c61e19e6182e7a75ee82ff0d4 18424 keystone_2012.1.1-13_all.deb 94b86d5962cbea7b4ecbe1f38ffa632f8def67a1650ecf81fa82a95cb9434d78 240718 keystone-doc_2012.1.1-13_all.deb Files: 4e0821b5b54502df2f96b13cb1c3536a 1902 net extra keystone_2012.1.1-13.dsc 442be04bcc7ce1a03b9085609761c5ba 30496 net extra keystone_2012.1.1-13.debian.tar.gz c517ef72bfc29065610d21df894cfc61 93616 python extra python-keystone_2012.1.1-13_all.deb df630fa8b82b521504ac5876077570b0 18424 python extra keystone_2012.1.1-13_all.deb 20a602f2aa1456f32dfaf6a1611d8bfe 240718 doc extra keystone-doc_2012.1.1-13_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEjpLgACgkQl4M9yZjvmkkvYwCdGBnQZYurQI40PPwDoV0p3IH5 aH0AoI5SGkvgwq3yNdOxgTlMErQv+uOK =cG5a -----END PGP SIGNATURE-----
--- End Message ---
