Your message dated Thu, 16 Aug 2018 08:49:20 +0000 with message-id <e1fqdy4-00013r...@fasolo.debian.org> and subject line Bug#904616: fixed in keystone 2:13.0.0-7 has caused the Debian Bug report #904616, regarding keystone: CVE-2018-14432: GET /v3/OS-FEDERATION/projects leaks project information to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 904616: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904616 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: keystone Version: 2:13.0.0-1 Severity: grave Tags: security upstream Hi, The following vulnerability was published for keystone. CVE-2018-14432[0]: GET /v3/OS-FEDERATION/projects leaks project information If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-14432 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14432 [1] http://www.openwall.com/lists/oss-security/2018/07/25/2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: keystone Source-Version: 2:13.0.0-7 We believe that the bug you reported is fixed in the latest version of keystone, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 904...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated keystone package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 06 Apr 2018 11:08:58 +0000 Source: keystone Binary: keystone keystone-doc python3-keystone Architecture: source all Version: 2:13.0.0-7 Distribution: unstable Urgency: high Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: keystone - OpenStack identity service keystone-doc - OpenStack identity service - documentation python3-keystone - OpenStack identity service - library Closes: 904616 Changes: keystone (2:13.0.0-7) unstable; urgency=high . [ Michal Arbet ] * Remove auth-token stuff . [ Thomas Goirand ] * Removed using twice --bootstrap-region-id ${REGION_NAME} when doing the keystone bootstraping. * CVE-2018-14432: authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Applie upstream patch for Ocata rebased to Newton: "Reduce duplication in federated auth APIs (Closes: #904616). . [ Ondřej Nový ] * d/control: Use team+openst...@tracker.debian.org as maintainer Checksums-Sha1: 0eb3c39711f8f56864744ae43904cc1204979e79 3762 keystone_13.0.0-7.dsc 0b4abd8f4d28a6a53be375df09cc16946817d1e8 39564 keystone_13.0.0-7.debian.tar.xz 3d4118600e6291093d63b019db94e208c7a36b6b 1297036 keystone-doc_13.0.0-7_all.deb 4465e69c0536d7b0567fe33fdab8f67e5ded3419 67068 keystone_13.0.0-7_all.deb 0ef078ded42b2b80adf189fbdbedae2e9039155d 16371 keystone_13.0.0-7_amd64.buildinfo c0ebf8a615b5f659844a31a908a85794f8c89fe0 605392 python3-keystone_13.0.0-7_all.deb Checksums-Sha256: cde5afd662faac19ace7d6a3926b636aa4e763972c3a87855ddc03df95c5ef93 3762 keystone_13.0.0-7.dsc 66bac4b9f5903e0fb5964ea3d5937ac3d51c99d4b55a64ae948b94c5964add02 39564 keystone_13.0.0-7.debian.tar.xz 3e48a79cab7cd3729dafce0a3bcca22225b1cfd80cd5e1deb57da99e91b4e886 1297036 keystone-doc_13.0.0-7_all.deb 60dc5daa8349c6908af33d824d4affe66471b4c32fb4fccf35acdbe3805fb14d 67068 keystone_13.0.0-7_all.deb caa4890398fe46c6f007bbf67a5ca1e836a4cbe4b45747067b19eb286f654046 16371 keystone_13.0.0-7_amd64.buildinfo 4fe99ea2a39a70eaf2b975927318b2df7f5685b7e112681f72e5aadbe1857f85 605392 python3-keystone_13.0.0-7_all.deb Files: 4a4bbb6c3562354380e19b0fc7974b9b 3762 net optional keystone_13.0.0-7.dsc 0bec547cc7a9fb10101656754bb4eaa8 39564 net optional keystone_13.0.0-7.debian.tar.xz c4c14dc13fa2a83768a40516815f2790 1297036 doc optional keystone-doc_13.0.0-7_all.deb 46f0478ba3970b73eb675fa1e2aecc98 67068 net optional keystone_13.0.0-7_all.deb 76d296c78c3d4cc84e3cf41a6dcb8b00 16371 net optional keystone_13.0.0-7_amd64.buildinfo fd7f6308ecd715ef0238eead2ef0153d 605392 python optional python3-keystone_13.0.0-7_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlt1NmgACgkQq1PlA1ho d6ZhXQ//YQLJLtCBofFCj3QiFBc5wh1GHwaTbQ6qM7yNt60sNVI/BG+KPvR80j/t VSu9wmwkxwX3vgDLU70o7xuRuxUZDWjkUttN0XoUez0OAFpZa3PyDiZJbjmQ2HMx 5VRggsIMMK6QXyahATKVvZm3eJBaPM0LVMqmuWe4gz3p0z7ynIpfNYeCq0qaUU2C GojM4um0Z4kIr49wXx1AFKB4VI1IJouUWpqGJqXTgztBdsgta2xGCHhKpAdz4bcU Bj7JhQv7GVf8/4m9P6csGIkkb5ZBUC5lvINtpk1vdAeE5ZQ5q29uQpf8NzRndyqg 8sGysOJOGCDqvTKIboV+PlzJsgJYoeYWM3bYguPN4C9r/9HXTpoR99QuAAB+YWH+ GeC072+dpC3UVvb4FLn/Ow/r+qdjupKo5TAnuTudbD1pB6WWpYdg2JJ0KkT6+LUP V4bKNpLRlvj4Yhjfe+yUFgwpKHA79INRSMeXNK0KNY8CfIWUMxs7B9DQGCGxs+pa maNokil/Ji+50OSFt6dSxeOWwW9YcsNR6TuhOPpN750GXo5+vy9hAezRXkNcdIyT w9pFfgk0VHwiT2bwtRyE5A+w8hE9cS94Xg7mtM8aThsFbIBmm0txRjKKYM7jBuDg HDAZh216uOomfPjIiWOnMmwntCd1lthLOkMk1zilm4vk6LU6vAk= =SO1c -----END PGP SIGNATURE-----
--- End Message ---
