On 05/23/2014 03:00 PM, Salvatore Bonaccorso wrote: > Hi Thomas, > > On Fri, May 23, 2014 at 02:39:20PM +0800, Thomas Goirand wrote: >> On 05/23/2014 01:16 PM, Salvatore Bonaccorso wrote: >>> Source: keystone >>> Severity: grave >>> Tags: security upstream >>> >>> Hi Thomas, >>> >>> the following vulnerability was published for keystone. >>> >>> CVE-2014-0204[0]: >>> Keystone user and group id mismatch >>> >>> If you fix the vulnerability please also make sure to include the >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. >>> >>> For further information see: >>> >>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204 >>> https://security-tracker.debian.org/tracker/CVE-2014-0204 >>> [1] https://bugs.launchpad.net/keystone/%2Bbug/1309228 >>> >>> >From advisory (code not checked) it looks wheezy version should not be >>> affected, but could you please adjust the affected versions in the BTS >>> as needed? >>> >>> Regards, >>> Salvatore >> >> Hi Salvatore, >> >> This was already uploaded in version 2014.1-3. I forgot to edit the >> debian/changelog for this (I uploaded mistakenly before I was finished >> with my work). However, there's an update for the patch which the >> package still doesn't have, so I will leave the bug open until I can >> find the time to push for an updated patch. > > Indeed, thanks for correction! I have added also a note on the > security-tracker, that the patch needs a follow-up patch first (and we > can mark then as fixed with 2014.1-4 or whatever it will be). > > Thanks for your work, > > Regards, > Salvatore
Thanks. FYI, Essex (eg: what's in Wheezy) isn't affected. Also, the current backport to Icehouse (eg: 2014.1) is still under review: https://review.openstack.org/#/c/94397/ I prefer to wait until the review process is finished. As I understand, the regression is: a userid containing a ',' can't log in. Do you think, like I do, that I should lower the severity of this bug and let 2014.1-3 migrate to testing? Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
