Your message dated Sat, 09 May 2020 15:33:03 +0000 with message-id <e1jxrtl-00067h...@fasolo.debian.org> and subject line Bug#959900: fixed in keystone 2:14.2.0-0+deb10u1 has caused the Debian Bug report #959900, regarding keystone: CVE-2020-12689 CVE-2020-12690 CVE-2020-12691 CVE-2020-12692 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 959900: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959900 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: keystone Version: 2:14.0.1-2 Severity: grave Tags: patch security kay reported a vulnerability in Keystone's EC2 credentials API. Keystone is the identity service used by OpenStack for authentication (authN) and high-level authorization (authZ). Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role. The details and patches are available here: https://bugs.launchpad.net/keystone/+bug/1872735
--- End Message ---
--- Begin Message ---Source: keystone Source-Version: 2:14.2.0-0+deb10u1 Done: Thomas Goirand <z...@debian.org> We believe that the bug you reported is fixed in the latest version of keystone, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 959...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated keystone package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 25 Mar 2019 15:04:48 +0100 Source: keystone Architecture: source Version: 2:14.2.0-0+deb10u1 Distribution: buster-security Urgency: medium Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 959900 Changes: keystone (2:14.2.0-0+deb10u1) buster-security; urgency=medium . * New upstream point release. * Removed patch applied upstream: - PY3_switch_to_using_unicode_text_values.patch * Removed debian/keystone.cron.hourly: UUID tokens are removed in favor of Fernet tokens, therefore, this cron job is useless. * Add upstream patches to fix grave security bug: EC2 and credential endpoints are not protected from a scoped context (Closes: #959900). - 0001-Add-cadf-auditing-to-credentials.patch - CVE_Check_timestamp_of_signed_EC2_token_request.patch - Ensure_OAuth1_authorized_roles_are_respected.patch - CVE_Fix_security_issues_with_EC2_credentials.patch Checksums-Sha1: 1cd0f41438435fbce307d473a025d62b0f2ae206 3899 keystone_14.2.0-0+deb10u1.dsc 0bc931e3a137467fc58fbf4aed3c98915ad2b139 942356 keystone_14.2.0.orig.tar.xz 1e3a32d791a701fa4947e5b4e868d8fbf2144608 50132 keystone_14.2.0-0+deb10u1.debian.tar.xz 15704d9a3a4cc69cc0c202be1874b850465480df 16255 keystone_14.2.0-0+deb10u1_amd64.buildinfo Checksums-Sha256: d67bfff07b13b546abdd376e3158b10dedc8ce49da841b965a60d98bb33a455e 3899 keystone_14.2.0-0+deb10u1.dsc 0415a71de79ea784598c8c505c28f91441a7b35328101457f99de7cb9aa276d1 942356 keystone_14.2.0.orig.tar.xz e46a0fd48a1fdba9c88474bde0c8b27a3d375d4649ac420135d1068425ef7252 50132 keystone_14.2.0-0+deb10u1.debian.tar.xz 7c0c3d4e716f87e507560961c27284f258d2a2045b96586dfb3f1e1e2ffaf883 16255 keystone_14.2.0-0+deb10u1_amd64.buildinfo Files: 003c336c39fa57e2317cc29911415553 3899 net optional keystone_14.2.0-0+deb10u1.dsc 0e3be8edf7bd83ab650beb2d1d94a040 942356 net optional keystone_14.2.0.orig.tar.xz 86f6f99720059893fdfa97ca8f0c7cc3 50132 net optional keystone_14.2.0-0+deb10u1.debian.tar.xz 30379f87f1f2dcfb5fb0238b46644016 16255 net optional keystone_14.2.0-0+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAl6zFj0ACgkQ1BatFaxr Q/66Kg//R26boQfBHHRfyXAJILPklpEbrRuGWMt2FEOyqpgHoYX817eGlFPbi70y 1ZfVp/ayu/ogBCCBCl8Hh9HnKdjfQWzGXiTvtvQA3wSDuVXTFVVskskaHcoOuhh5 AVw2H1ZhrvcJkvRaOh+fnFEaqz4NnXL0mqtzoZNkPUzSjLlbTF/3FOLHqZcAgKDM 7kjbo120jikFbDBy7O66Gr672wRFpfY9AqvCYNTS02CqfXAH2y6gfgfLZJ3CJhtm 1cCNXm2Z9pLsyO6TZknMFBbcACy9N7xSb6rNtUKbjUvLATKJCF1n2tP4/FCcrX3l zkXxDoGTI8xFK6slBhFMTpYGwLPfeOQXNy44SIf8mprfduTF3vBsGt68eyNwYxDa c69DJNXta/YqXdYrOepYTJcCpX8xS7A4Mq5TS4MjPh7BmcmX+DWbRTXzoezpK6c8 zqlbgXr4mxi7GjBX38wyEHQ5IYrBEVO7nmN093f2FU8eyvJ7/G3hoHLuKzQLKaOD eLylYepp6UqJO+X6CROAbeYvSqSYSpwY+P85+mp3NFWNbIM+4Ak/LND9fiferwBD TjeFX3F/1IO8nmbU7r3E7kdv8LQ6Sh5iImuRr8NOpum62ansCxmnMsesUuvSNA54 /7Lb5comXoPr9zBXOLawrq8JmEzc5R69p1nw+PSYjT/XIw+hOFg= =y7uy -----END PGP SIGNATURE-----
--- End Message ---
