Your message dated Thu, 12 Dec 2019 22:04:33 +0000 with message-id <e1ifwzv-0001dg...@fasolo.debian.org> and subject line Bug#946614: fixed in keystone 2:16.0.0-5 has caused the Debian Bug report #946614, regarding keystone: CVE-2019-19687 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 946614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946614 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: keystone Version: 2:16.0.0-4 Severity: grave Tags: security upstream Forwarded: https://bugs.launchpad.net/keystone/+bug/1855080 Hi, The following vulnerability was published for keystone. CVE-2019-19687[0]: | OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in | the list credentials API. Any user with a role on a project is able to | list any credentials with the /v3/credentials API when enforce_scope | is false. Users with a role on a project are able to view any other | users' credentials, which could (for example) leak sign-on information | for Time-based One Time Passwords (TOTP). Deployments with | enforce_scope set to false are affected. (There will be a slight | performance impact for the list credentials API once this issue is | fixed.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-19687 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19687 [1] https://bugs.launchpad.net/keystone/+bug/1855080 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: keystone Source-Version: 2:16.0.0-5 We believe that the bug you reported is fixed in the latest version of keystone, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 946...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated keystone package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 12 Dec 2019 22:20:29 +0100 Source: keystone Architecture: source Version: 2:16.0.0-5 Distribution: unstable Urgency: high Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 946614 Changes: keystone (2:16.0.0-5) unstable; urgency=high . * Add a depends on uwsgi-plugin-apparmor, and use it. * Add load-balancer_admin & load-balancer_member in default role creation. * CVE-2019-19687: project members and readers can list any credentials with the /v3/credentials API when enforce_scope is false. Add upstream patch: CVE-2019-19687_Fix_credential_list_for_project_members.patch. (Closes: #946614). * Blacklist test_hacking_checks.TestCheckForMutableDefaultArgs.test() which is currently failing in Sid. Checksums-Sha1: 705aac46434f966b5c91c8be27eab792213b3f70 3593 keystone_16.0.0-5.dsc 7169d9194ec3f98c5e337e907c936dd052798148 40908 keystone_16.0.0-5.debian.tar.xz d059c9aabcb521daabdbc0a1adb845e2d80565cb 16599 keystone_16.0.0-5_amd64.buildinfo Checksums-Sha256: 3c67bdc2bc730f59975bfe85ccecad302e381a1d667172730ccd1eedb51399fe 3593 keystone_16.0.0-5.dsc 37abe6f3287796f278531a66fa358d82bcb40a0435c47b184f6ab6747ea26e56 40908 keystone_16.0.0-5.debian.tar.xz c4dc466a19d5f6e19dc820b6ce0d29cca5c61cd2325ceb7f60e968c0203133dc 16599 keystone_16.0.0-5_amd64.buildinfo Files: 703f0b0384f3322fae3344b960270575 3593 net optional keystone_16.0.0-5.dsc 7ca538c0bd1aa2bf54c597f0f4281cd2 40908 net optional keystone_16.0.0-5.debian.tar.xz 0249c03bd38a5a7c221178b9e2b407ee 16599 net optional keystone_16.0.0-5_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAl3ytwcACgkQ1BatFaxr Q/6fKRAAjJyQ0vXmQNXRLad7dXoaW14Yq9moR284Eg7j+8iukjyq7MY1DmvdxO1w DefO5H/NtXgqSyKHOBb0uqsKzDJ0zRKVPMWJDl3kCYSX26IN2lQSCzt5QpmA1us+ MHB7/EIsL61TrjAQfNpeR6/yh88tTVoGTgX8LbpytEsD8T/mSkfR8/JmVg8djUjJ ETqxTSUBO8myFWHRdSNp5uhC8EoY7An+zuUaoWfp2OiDum+7bnHANkgWh1K5SXFk ASCP3rlSwDzE0eQCED8c7HWok8m+VUHXJfBia9vi8OmlG8+d4JW+Sh/FL2FrTbHm fvcQq0ODo5dILt2OLCWNsWIaBe0KvRiCtKVunDdYMgMwplU6oR+XEo/vbayhlbZm qsyECdOuCmSQyxSgeMLzLfAtIhOuBupWKX/UctW5mct0892+PSf5HsGzPTz9eaBj hJF9O5x/oEarkNrNK8hoQS5iKunQ5ar91vOwAw2QvRBFlgmWSlPDpHW2phjwHBPv ckj5LqcAaqjUj/WaQfSfAtbpOdf2Aun0NJewn4i4Hr4vNxdPx4Swy7q6ezfHiabp FeyJno3f+I/ZPGr5XjhjMyfYjP8Icy7JteCxGKRVrfhvIOblpcpqE++BfhKc07Mh 2WwMEhuuXTlS3/83E0D/Km6/2/V2dgfaT7BBswtPmsnsYrhS6c4= =XICk -----END PGP SIGNATURE-----
--- End Message ---
