On 06/13/2014 12:44 PM, Salvatore Bonaccorso wrote: > Source: keystone > Severity: grave > Tags: security upstream patch > Justification: user security hole > > Hi Thomas, > > As you might know, the following vulnerability was published for > keystone. > > CVE-2014-3476[0]: > privilege escalation through trust chained delegation > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2014-3476 > [1 > ]http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html > > Please adjust the affected versions in the BTS as needed. From the > advisory at least all version up to 2013.2.3, and 2014.1 to 2014.1.1 > are affected. > > Regards and thanks for your work, > Salvatore
Hi Salvatore, Thanks for the update. I received the pre-OSSA, but didn't find the time to address it before now. I just uploaded the fix for Sid with urgency=high. As much as I can tell, the Wheezy version isn't affected. None of the source code patched is present in the Essex version of Keystone. This is also what the OSSA tells. I have updated the BTS, I believe I don't have the credentials for the security-tracker. Please mark Wheezy as unaffected, and sid as fixed in version 2014.1.1-2. Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
