Your message dated Tue, 19 Feb 2013 16:32:33 +0000 with message-id <e1u7q7n-0008th...@franck.debian.org> and subject line Bug#700947: fixed in keystone 2012.2.3-1 has caused the Debian Bug report #700947, regarding CVE-2013-0282: Ensure EC2 users and tenant are enabled to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700947: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700947 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: keystone Version: 2012.1.1-12 Severity: grave Tags: security Nathanael Burton reported a vulnerability in EC2-style authentication in Keystone. Keystone fails to check whether a user, tenant, or domain is enabled before authenticating a user using the EC2 api. Authenticated, but disabled users (or authenticated users in disabled tenants or domains) could therefore retain access rights that were thought removed. Only setups enabling EC2-style authentication are affected. To disable EC2-style authentication to work around the issue, remove the EC2 extension from the keystone API pipeline in keystone.conf. Patched version is ready, upload is comming. Thomas Goirand (zigo)
--- End Message ---
--- Begin Message ---Source: keystone Source-Version: 2012.2.3-1 We believe that the bug you reported is fixed in the latest version of keystone, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated keystone package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 03 Feb 2013 11:05:36 +0800 Source: keystone Binary: python-keystone keystone keystone-doc Architecture: source all Version: 2012.2.3-1 Distribution: experimental Urgency: low Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: keystone - OpenStack identity service keystone-doc - OpenStack identity service - documentation python-keystone - OpenStack identity service - library Closes: 700947 700948 Changes: keystone (2012.2.3-1) experimental; urgency=low . * New upstream release. * CVE-2013-0247: Keystone denial of service through invalid token requests. * CVE-2013-0282 Keystone EC2-style authentication accepts disabled user/tenants (Closes: #700947). * CVE-2013-0280: Information leak and Denial of Service using XML entities (Closes: #700948) Checksums-Sha1: 9acf1652d1989c833d69f10ad431cb0fc0f82925 2063 keystone_2012.2.3-1.dsc 2df5ca9145991d87612cca7748b12f222d065173 190520 keystone_2012.2.3.orig.tar.xz 4134835abc53dac6d36740aa34dbd104db8462f3 240672 keystone_2012.2.3-1.debian.tar.gz ebd1f2419211738c56d63b294ca0d0d0d825472c 305764 python-keystone_2012.2.3-1_all.deb bc9836c94ecf49a9721dcca6bd91d619f3f704b1 240294 keystone_2012.2.3-1_all.deb dd14888fd0bc2dc644b4b8bd6d6c554c3aa04758 300612 keystone-doc_2012.2.3-1_all.deb Checksums-Sha256: 607a640cba1dcbeb4ab994019673a2be2a80792bbef46cd80f048fd3f48aaa68 2063 keystone_2012.2.3-1.dsc 044cdbe7417c6ce622ebcafb58db346dde752e5a725fdaff344592eac9ffaf84 190520 keystone_2012.2.3.orig.tar.xz 732f04cc70a53f660dea0242191b719c5717a6ee6496bb0ad88c20211ecb8bce 240672 keystone_2012.2.3-1.debian.tar.gz 455111646aaafeeec2b2e5a81a9dbfadd1069d860b17653ff09888a97f5fa348 305764 python-keystone_2012.2.3-1_all.deb 584b1f8b48ee797fc94345ba47c01f9c0caf4e39cf05e15793030e24ecc19f6b 240294 keystone_2012.2.3-1_all.deb d62dcdab35704fd39c1667694ae49f8baee51b6ed68761fa36f43900690d3848 300612 keystone-doc_2012.2.3-1_all.deb Files: 0d36f2de9db11b7cf961e7a33dde87ad 2063 net extra keystone_2012.2.3-1.dsc 9e241ae2f19e1819990ea7730d71a3dc 190520 net extra keystone_2012.2.3.orig.tar.xz f9494d865d21f561b22b6dd6133096a8 240672 net extra keystone_2012.2.3-1.debian.tar.gz bc31bcf95c428ea0bad3893eedc996a4 305764 python extra python-keystone_2012.2.3-1_all.deb ba72d25068aec5a2f2b9ee5dd71a6426 240294 python extra keystone_2012.2.3-1_all.deb d2d67e433e6852fc9cb6e33e5e90ff68 300612 doc extra keystone-doc_2012.2.3-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEjpjYACgkQl4M9yZjvmkkXCwCg7kf/Avo3PtjcAcJuOkBjrozm 5a0AoIltM0vwwCXYH6En8fWbxosLYxnm =ALAc -----END PGP SIGNATURE-----
--- End Message ---
