Your message dated Thu, 07 Sep 2017 17:47:09 +0000
with message-id <e1dq0tr-00080n...@fasolo.debian.org>
and subject line Bug#872605: fixed in aodh 3.0.0-4+deb9u1
has caused the Debian Bug report #872605,
regarding aodh: CVE-2017-12440
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
872605: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872605
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: aodh
Version: 3.0.0-4
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for aodh.
CVE-2017-12440[0]:
| Aodh as packaged in Openstack Ocata and Newton before change-ID
| I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not
| verify that trust IDs belong to the user when creating alarm action
| with the scheme trust+http, which allows remote authenticated users
| with knowledge of trust IDs where Aodh is the trustee to obtain a
| Keystone token and perform unspecified authenticated actions by adding
| an alarm action with the scheme trust+http, and providing a trust id
| where Aodh is the trustee.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12440
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12440
[1] https://wiki.openstack.org/wiki/OSSN/OSSN-0080
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: aodh
Source-Version: 3.0.0-4+deb9u1
We believe that the bug you reported is fixed in the latest version of
aodh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 872...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated aodh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 21 Aug 2017 00:59:49 +0200
Source: aodh
Binary: python-aodh aodh-common aodh-api aodh-evaluator aodh-notifier
aodh-listener aodh-expirer aodh-doc
Architecture: source all
Version: 3.0.0-4+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
aodh-api - OpenStack Telemetry (Ceilometer) Alarming - API server
aodh-common - OpenStack Telemetry (Ceilometer) Alarming - common files
aodh-doc - OpenStack efficient metering counters system - doc
aodh-evaluator - OpenStack Telemetry (Ceilometer) Alarming - alarm evaluator
aodh-expirer - OpenStack Telemetry (Ceilometer) Alarming - expirer
aodh-listener - OpenStack Telemetry (Ceilometer) Alarming - listener
aodh-notifier - OpenStack Telemetry (Ceilometer) Alarming - alarm notifier
python-aodh - OpenStack Telemetry (Ceilometer) Alarming - Python libraries
Closes: 872605
Changes:
aodh (3.0.0-4+deb9u1) stretch-security; urgency=medium
.
* CVE-2017-12440: apply upstream patch (Closes: #872605).
Checksums-Sha1:
26721bbbcb3cd1eb6cb9e24c85fa6ff4366b6a5c 3825 aodh_3.0.0-4+deb9u1.dsc
d07fe2cf1f9b6a9ab842bd849499f88407274d95 151376 aodh_3.0.0.orig.tar.xz
c47dc36ded802c7a51e8bb2de1a4226efe07785d 26896
aodh_3.0.0-4+deb9u1.debian.tar.xz
7d5509ed614f40a1721d9b272f9246941b7ea23e 28078 aodh-api_3.0.0-4+deb9u1_all.deb
d47368a94040ab1a01fd54c45be7f5a8dab3f5a8 37296
aodh-common_3.0.0-4+deb9u1_all.deb
f543c1bd2fa9ba6f34360124e169cb194028bd0e 82526 aodh-doc_3.0.0-4+deb9u1_all.deb
0202939626d683931fc8bb303e6824f65c303356 6838
aodh-evaluator_3.0.0-4+deb9u1_all.deb
1053c8a900ff2ba75f8cbdc8b02eb27efada9049 6884
aodh-expirer_3.0.0-4+deb9u1_all.deb
288e0b5c751baaf89a11a32a3481a10a64b4b74e 6854
aodh-listener_3.0.0-4+deb9u1_all.deb
8dd69faef8c5a3feaf99719789ba82db191acb9c 6846
aodh-notifier_3.0.0-4+deb9u1_all.deb
1e42409a0d081a45324b0d361d4040d1c3585011 17107
aodh_3.0.0-4+deb9u1_amd64.buildinfo
8430f093d3a03111de2baf361dacaf78610d1740 111782
python-aodh_3.0.0-4+deb9u1_all.deb
Checksums-Sha256:
78a5bfe9168615d1a2b38e887fcd2d59840cc9129e12c613977b5b0da4b21185 3825
aodh_3.0.0-4+deb9u1.dsc
92289c7fc66ce8e966cbf9845bb599e9ce397ca7eb052ba0df05fae553dd7f7d 151376
aodh_3.0.0.orig.tar.xz
2e7a04fb1a2027c45d9b1931a1a54430e79e444fe9a34796fc1acf754c9d2ddc 26896
aodh_3.0.0-4+deb9u1.debian.tar.xz
ee3baee30acb67c089ff2bf7ac5c19f33dd674e1d9172b282740e337ba282e09 28078
aodh-api_3.0.0-4+deb9u1_all.deb
98ab914e42b197a92583392d1637e3bfe72b22cd2733f0961b55e94f303e8b38 37296
aodh-common_3.0.0-4+deb9u1_all.deb
b4d8571f30280bb9bba0c5bbfefe11a2aeed1c4d1b1aee8fdf51df1649539bd6 82526
aodh-doc_3.0.0-4+deb9u1_all.deb
b89bf5bda802179cfd21f9fe4b2c4e6a8033a51db8e20ac8cd72aa1f52a33c81 6838
aodh-evaluator_3.0.0-4+deb9u1_all.deb
741081fbc6858e27f3008cdb0f444403179d29efad02240f46032fe4bc7430e6 6884
aodh-expirer_3.0.0-4+deb9u1_all.deb
6aa5ac31aa718a2244cda74fd73d37e9d34267f49cb1e5232107649e85ca19ba 6854
aodh-listener_3.0.0-4+deb9u1_all.deb
75d5f8a37db51120ddacc5b230852a9cd8e5cd185e63e08125420dd7d41aa603 6846
aodh-notifier_3.0.0-4+deb9u1_all.deb
f660d6a3b006ba0082f690e9d3247df870a6cb02291a8540e7d02fb45a11afa7 17107
aodh_3.0.0-4+deb9u1_amd64.buildinfo
ea464adb3e78745b7778a71571f94e9c122e009819022b84e41d01661d54d146 111782
python-aodh_3.0.0-4+deb9u1_all.deb
Files:
4f5890ad60d327fc9d7bad139d27fd8a 3825 web optional aodh_3.0.0-4+deb9u1.dsc
967fad020a670a1649f9e5276f86e373 151376 web optional aodh_3.0.0.orig.tar.xz
6dbbf608e1e9d6fec9796297f0bb9d51 26896 web optional
aodh_3.0.0-4+deb9u1.debian.tar.xz
512dab1d7b9c0e2dcd612f98dab06b49 28078 web optional
aodh-api_3.0.0-4+deb9u1_all.deb
f91bf91c55fa15c3f41e6f4bb8c55a97 37296 web optional
aodh-common_3.0.0-4+deb9u1_all.deb
e40d2b56fa1e74c47c638b040b71bd20 82526 doc optional
aodh-doc_3.0.0-4+deb9u1_all.deb
bd217413653de1c69075b8e3e453086b 6838 web optional
aodh-evaluator_3.0.0-4+deb9u1_all.deb
17cc5a3163d7fef651ab5d355d0c09e1 6884 web optional
aodh-expirer_3.0.0-4+deb9u1_all.deb
c739cb9137083af1b422f185499045db 6854 web optional
aodh-listener_3.0.0-4+deb9u1_all.deb
2d3a671eefd63c979d939b9624fcd5a4 6846 web optional
aodh-notifier_3.0.0-4+deb9u1_all.deb
dd9032044a224801daf2597fd4058123 17107 web optional
aodh_3.0.0-4+deb9u1_amd64.buildinfo
511efc40250ad266e44cad847f019366 111782 python optional
python-aodh_3.0.0-4+deb9u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlmcBXIACgkQ1BatFaxr
Q/43Xw//bfnl+TEpQ17D5NFPdbzjUKSz1VeRuLuDV03/UKCltnzCjO1h52zhV/FP
iGwhLY/Qd94IRbDLKHOzjOleMDLrY69uFHD+S2PR2i8SJ/4xLqsjjn3krPAFwsKv
Tp2YgPgl1wrRHWKyRAupgHo2h5OZJSlSekpAX71hdD3dFy01T7eMX1idtv40SXZG
sbOt+fKrIAoz7fZnj9lPs2ycLUIjgN4GE62dfY1thuugHbXLIKBZoGibdEJxT80j
tRz51vGud7PjNxvK4lTqPvicWA+raCsx8r9Njg1OUZpJQUeUlTlht31zGJv7e7W0
/d5+xOttaFfbCuecHEO1syXXjK3vgIhHe3fU3CK7fdtX2KAH0ab12b1WD2bTmw0A
xeZGE6WECQEimanEmENKZFbqyXBVrUvQTAq0Az8pOPuSn78Ab/9vhL9J4n44XLDl
RCJ9v6k3MeTm/oGt1Vrq3zbuZNVPQDJWUeo0xexo9Y1eQr4dfydb/awmu9tUKtKg
UNLAuk5OvN67cCDkj0GAUiWVJyQEq3iQdiWdZ6n1AOxzSG5D6CzAK7V58mwUh/Jh
ZUngTwSo4aTs/EI839rN3rsi3QuJgBll/zCsIDi/LAmxe/K3oG1831XFdcV+W2J8
OngIUClbZBdSZFwSyTXS5lhZVo8bTz6U43nfy4Q/dKdAMVMRXyE=
=Klgh
-----END PGP SIGNATURE-----
--- End Message ---
