Hi Thomas, On Fri, Jun 13, 2014 at 06:51:27PM +0800, Thomas Goirand wrote: > On 06/13/2014 12:44 PM, Salvatore Bonaccorso wrote: > > Source: keystone > > Severity: grave > > Tags: security upstream patch > > Justification: user security hole > > > > Hi Thomas, > > > > As you might know, the following vulnerability was published for > > keystone. > > > > CVE-2014-3476[0]: > > privilege escalation through trust chained delegation > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2014-3476 > > [1 > > ]http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html > > > > Please adjust the affected versions in the BTS as needed. From the > > advisory at least all version up to 2013.2.3, and 2014.1 to 2014.1.1 > > are affected. > > > > Regards and thanks for your work, > > Salvatore > > Hi Salvatore, > > Thanks for the update. I received the pre-OSSA, but didn't find the time > to address it before now. > > I just uploaded the fix for Sid with urgency=high.
Thanks! > > As much as I can tell, the Wheezy version isn't affected. None of the > source code patched is present in the Essex version of Keystone. This is > also what the OSSA tells. > > I have updated the BTS, I believe I don't have the credentials for the > security-tracker. Please mark Wheezy as unaffected, and sid as fixed in > version 2014.1.1-2. Ok, thanks for checking here. I just have marked wheezy as not affected in the tracker. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
