Debian Bug report logs -
#749026
keystone: CVE-2014-0204: Inproper role assignments to users
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 23 May 2014 05:21:01 UTC
Severity: important
Tags: security, upstream
Fixed in version keystone/2014.1-5
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#749026; Package src:keystone.
(Fri, 23 May 2014 05:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 23 May 2014 05:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: keystone
Severity: grave
Tags: security upstream
Hi Thomas,
the following vulnerability was published for keystone.
CVE-2014-0204[0]:
Keystone user and group id mismatch
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204
https://security-tracker.debian.org/tracker/CVE-2014-0204
[1] https://bugs.launchpad.net/keystone/%2Bbug/1309228
>From advisory (code not checked) it looks wheezy version should not be
affected, but could you please adjust the affected versions in the BTS
as needed?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#749026; Package src:keystone.
(Fri, 23 May 2014 06:42:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 23 May 2014 06:42:11 GMT) (full text, mbox, link).
Message #10 received at 749026@bugs.debian.org (full text, mbox, reply):
On 05/23/2014 01:16 PM, Salvatore Bonaccorso wrote:
> Source: keystone
> Severity: grave
> Tags: security upstream
>
> Hi Thomas,
>
> the following vulnerability was published for keystone.
>
> CVE-2014-0204[0]:
> Keystone user and group id mismatch
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204
> https://security-tracker.debian.org/tracker/CVE-2014-0204
> [1] https://bugs.launchpad.net/keystone/%2Bbug/1309228
>
>>From advisory (code not checked) it looks wheezy version should not be
> affected, but could you please adjust the affected versions in the BTS
> as needed?
>
> Regards,
> Salvatore
Hi Salvatore,
This was already uploaded in version 2014.1-3. I forgot to edit the
debian/changelog for this (I uploaded mistakenly before I was finished
with my work). However, there's an update for the patch which the
package still doesn't have, so I will leave the bug open until I can
find the time to push for an updated patch.
Thanks for your care,
Thomas Goirand (zigo)
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#749026; Package src:keystone.
(Fri, 23 May 2014 07:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 23 May 2014 07:03:04 GMT) (full text, mbox, link).
Message #15 received at 749026@bugs.debian.org (full text, mbox, reply):
Hi Thomas,
On Fri, May 23, 2014 at 02:39:20PM +0800, Thomas Goirand wrote:
> On 05/23/2014 01:16 PM, Salvatore Bonaccorso wrote:
> > Source: keystone
> > Severity: grave
> > Tags: security upstream
> >
> > Hi Thomas,
> >
> > the following vulnerability was published for keystone.
> >
> > CVE-2014-0204[0]:
> > Keystone user and group id mismatch
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204
> > https://security-tracker.debian.org/tracker/CVE-2014-0204
> > [1] https://bugs.launchpad.net/keystone/%2Bbug/1309228
> >
> >>From advisory (code not checked) it looks wheezy version should not be
> > affected, but could you please adjust the affected versions in the BTS
> > as needed?
> >
> > Regards,
> > Salvatore
>
> Hi Salvatore,
>
> This was already uploaded in version 2014.1-3. I forgot to edit the
> debian/changelog for this (I uploaded mistakenly before I was finished
> with my work). However, there's an update for the patch which the
> package still doesn't have, so I will leave the bug open until I can
> find the time to push for an updated patch.
Indeed, thanks for correction! I have added also a note on the
security-tracker, that the patch needs a follow-up patch first (and we
can mark then as fixed with 2014.1-4 or whatever it will be).
Thanks for your work,
Regards,
Salvatore
Changed Bug title to 'keystone: CVE-2014-0204: Inproper role assignments to users' from 'keystone: CVE-2014-0204: nproper role assignments to users'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 23 May 2014 07:03:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#749026; Package src:keystone.
(Fri, 23 May 2014 07:54:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 23 May 2014 07:54:12 GMT) (full text, mbox, link).
Message #22 received at 749026@bugs.debian.org (full text, mbox, reply):
On 05/23/2014 03:00 PM, Salvatore Bonaccorso wrote:
> Hi Thomas,
>
> On Fri, May 23, 2014 at 02:39:20PM +0800, Thomas Goirand wrote:
>> On 05/23/2014 01:16 PM, Salvatore Bonaccorso wrote:
>>> Source: keystone
>>> Severity: grave
>>> Tags: security upstream
>>>
>>> Hi Thomas,
>>>
>>> the following vulnerability was published for keystone.
>>>
>>> CVE-2014-0204[0]:
>>> Keystone user and group id mismatch
>>>
>>> If you fix the vulnerability please also make sure to include the
>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>>
>>> For further information see:
>>>
>>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204
>>> https://security-tracker.debian.org/tracker/CVE-2014-0204
>>> [1] https://bugs.launchpad.net/keystone/%2Bbug/1309228
>>>
>>> >From advisory (code not checked) it looks wheezy version should not be
>>> affected, but could you please adjust the affected versions in the BTS
>>> as needed?
>>>
>>> Regards,
>>> Salvatore
>>
>> Hi Salvatore,
>>
>> This was already uploaded in version 2014.1-3. I forgot to edit the
>> debian/changelog for this (I uploaded mistakenly before I was finished
>> with my work). However, there's an update for the patch which the
>> package still doesn't have, so I will leave the bug open until I can
>> find the time to push for an updated patch.
>
> Indeed, thanks for correction! I have added also a note on the
> security-tracker, that the patch needs a follow-up patch first (and we
> can mark then as fixed with 2014.1-4 or whatever it will be).
>
> Thanks for your work,
>
> Regards,
> Salvatore
Thanks.
FYI, Essex (eg: what's in Wheezy) isn't affected. Also, the current
backport to Icehouse (eg: 2014.1) is still under review:
https://review.openstack.org/#/c/94397/
I prefer to wait until the review process is finished. As I understand,
the regression is: a userid containing a ',' can't log in.
Do you think, like I do, that I should lower the severity of this bug
and let 2014.1-3 migrate to testing?
Cheers,
Thomas Goirand (zigo)
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#749026; Package src:keystone.
(Fri, 23 May 2014 08:33:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 23 May 2014 08:33:13 GMT) (full text, mbox, link).
Message #27 received at 749026@bugs.debian.org (full text, mbox, reply):
Hi Thomas,
On Fri, May 23, 2014 at 03:50:47PM +0800, Thomas Goirand wrote:
[...]
> FYI, Essex (eg: what's in Wheezy) isn't affected. Also, the current
> backport to Icehouse (eg: 2014.1) is still under review:
>
> https://review.openstack.org/#/c/94397/
>
> I prefer to wait until the review process is finished. As I understand,
> the regression is: a userid containing a ',' can't log in.
>
> Do you think, like I do, that I should lower the severity of this bug
> and let 2014.1-3 migrate to testing?
Yes, I think it is fine to lower the severity of this bug to important.
Regards,
Salvatore
Severity set to 'important' from 'grave'
Request was from Thomas Goirand <zigo@debian.org>
to control@bugs.debian.org.
(Fri, 23 May 2014 10:18:05 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Sat, 31 May 2014 03:39:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 31 May 2014 03:39:09 GMT) (full text, mbox, link).
Message #34 received at 749026-close@bugs.debian.org (full text, mbox, reply):
Source: keystone
Source-Version: 2014.1-5
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 749026@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 30 May 2014 23:09:45 +0800
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2014.1-5
Distribution: unstable
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
keystone - OpenStack identity service
keystone-doc - OpenStack identity service - documentation
python-keystone - OpenStack identity service - library
Closes: 749026
Changes:
keystone (2014.1-5) unstable; urgency=medium
.
* Updates cve-2014-0204-stable-icehouse.patch with latest version from
upstream (Closes: #749026).
Checksums-Sha1:
c4713856862b8a86394859d0340798174b433a4b 3524 keystone_2014.1-5.dsc
2f464f39115d4eb97e9ed0ee0e6e3dd1f9c60a31 208296 keystone_2014.1-5.debian.tar.xz
d2b7716101aed738dd49f0950cf2844e374e4014 632380 python-keystone_2014.1-5_all.deb
3ea44911889dfea2d13ea2a1b0ee2e7902a9efac 272650 keystone_2014.1-5_all.deb
24a53e3ae17000ae42390f2f3a2e39eabcc16345 450892 keystone-doc_2014.1-5_all.deb
Checksums-Sha256:
eaab799065c68bc49a04847d556325dc6c02ffde4f51bf413f7cd3fee3146ff1 3524 keystone_2014.1-5.dsc
7def65b437d4f666ff87dea783040aa739f8cb8ccd0b572a747cb8a03a456344 208296 keystone_2014.1-5.debian.tar.xz
246ed15b19614145ce0426521f05cbe2dc7ef7c50df2ab01dc97395b5eba96f1 632380 python-keystone_2014.1-5_all.deb
3b3775fb0efd3be3bb4fba517fcc95bbdc8230fef61307bbbf47d887f8f0dcfb 272650 keystone_2014.1-5_all.deb
789aa143cd7a5693e5dd71877d5e1393782cc5558792904ddb48267fdda9933b 450892 keystone-doc_2014.1-5_all.deb
Files:
3d045131f5cfda5c8f7df7542ca4b082 632380 python extra python-keystone_2014.1-5_all.deb
f8213d4f7fe5066a98fa6e36cd48c122 272650 python extra keystone_2014.1-5_all.deb
c6005f7f47d57bdeab8bd72a7ab63b24 450892 doc extra keystone-doc_2014.1-5_all.deb
50638e4b2ba7b5b7a557056fb3674db1 3524 net extra keystone_2014.1-5.dsc
1285b8d2ddc6f93704bfac87e82b125f 208296 net extra keystone_2014.1-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTiUF7AAoJENQWrRWsa0P+0bcQAJqFL7pXFgCKbAKFZzexh58V
JgWwS4FLXzyeRn1j1uKeNL8RoG3bkuG4GvRGZutkxZ9qTdOHPKjVE8/Cy0K2ll5E
8InXogdUmUQ/1KlLsJlN7oWEeeWDafOtJI1lqY+6N/WF+AdqUjN4Ermq2QFzx3GE
DlllRFXyZ/zHKG3U/kRsiw+hRMJQGKs42Jm70+G7EVihZ3GGaL8eeCyOsNrEDsX4
b6yd0zwiF7lKWx7esz2tLg5CbYK2VEX1zz+yyQGAj78nKjB2xGGLNCn1OW0do9CY
tilWRFMM0T9HTIetJbjpAmhZAmxGT7BjPEQfu62PKSqzrmk8NmI3aOHQZ2ZaPRn1
F+Sw3vg2sb//Ypjg0G8rkvFRVcUdUyUFFKOmJK7x1A7LC7sNZprOOAw8HIcspMlt
SmmaH79/LC+3FIIgMfcb4UmA9zzBQWZs8Q5BMlBPykLYpKKqChDsDq/0e/Ay/KZP
DDQiBmBuJOAwtYTj+DJ+O0pCaR3mORixWAaNifm7YtaZfhSja0ZM4NOfpdIS4log
L7SZlB1zGWWYItDI4xAMzVvFPlgX35HU+P/HRTh/6WrvrGMgBnFperOPtX+p7YHc
XWm9OQRTc+gQyQAFXEHh4LAjK1SggfSs6uwjD7xK6ncVqtVpTsWFXCxd7snF+PzL
jvf5+KGBBxXlwGUr7QKO
=LicQ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 02 Aug 2014 07:27:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:05:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon