CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted [OSSA 2013-011]

Debian Bug report logs - #707598
CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted [OSSA 2013-011]

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted [OSSA 2013-011]

Date: Thu, 9 May 2013 18:38:42 +0200

Package: keystone
Severity: important
Tags: security patch
Justification: user security hole

Please see: http://lists.openstack.org/pipermail/openstack-announce/2013-
May/000099.html

Cheers, luciano

Message #10 received at 707598@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>

To: 707598@bugs.debian.org

Subject: Re: [Openstack-devel] Bug#707598: CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted [OSSA 2013-011]

Date: Fri, 10 May 2013 02:10:36 +0800

[Message part 1 (text/plain, inline)]

On 05/10/2013 12:38 AM, Luciano Bello wrote:
> Package: keystone
> Severity: important
> Tags: security patch
> Justification: user security hole
> 
> Please see: http://lists.openstack.org/pipermail/openstack-announce/2013-
> May/000099.html
> 
> Cheers, luciano

Thanks Luciano,

I'm attaching the patches for both the Wheezy and Experimental versions
of Keystone (Essex and Grizzly, respectively).

I worked on fixing the Spice console for Grizzly tonight, and it's a bit
too late to do some security uploads without mistakes. So I'm delaying
it for tomorrow. If anyone in the team has time to do them though (like
Ghe, for example???), I'd appreciate it.

Thomas

[CVE-2013-2059_essex_Deleted_user_can_still_create_instances.patch (text/x-diff, attachment)]

[CVE-2013-2059_grizzly_Deleted_user_can_still_create_instances.patch (text/x-diff, attachment)]

Message #15 received at 707598-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 707598-close@bugs.debian.org

Subject: Bug#707598: fixed in keystone 2013.1.1-2

Date: Thu, 16 May 2013 07:17:47 +0000

Source: keystone
Source-Version: 2013.1.1-2

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 707598@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 10 May 2013 10:22:18 +0800
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2013.1.1-2
Distribution: unstable
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python-keystone - OpenStack identity service - library
Closes: 707598
Changes: 
 keystone (2013.1.1-2) unstable; urgency=low
 .
   * Uploading to unstable.
   * New upstream release:
     - Fixes CVE-2013-2059: Keystone tokens not immediately invalidated when
     user is deleted [OSSA 2013-011] (Closes: #707598).
   * Also installs httpd/keystone.py.
Checksums-Sha1: 
 21c502db045a18d172e8f87ce8efa347b6fe4bde 2292 keystone_2013.1.1-2.dsc
 da67f66ee393f71c52f28bf96cb85055deef0e38 331060 keystone_2013.1.1.orig.tar.xz
 b2c53f3799a0ab579bf4e9f2332727a9c21def5f 237293 keystone_2013.1.1-2.debian.tar.gz
 8232ddc54bb67822979ad1173cbfe08ce7b9ae67 336232 python-keystone_2013.1.1-2_all.deb
 7f8f16018100c4152e19d81bb4b1cf4e8f0403c6 246148 keystone_2013.1.1-2_all.deb
 df9a5d14de34947cc345673f05026ff23ee98c06 522588 keystone-doc_2013.1.1-2_all.deb
Checksums-Sha256: 
 5bbffedcda4abc3815308b25e4500246486ac4b54a29bf800f299feb8b2d07a1 2292 keystone_2013.1.1-2.dsc
 0c13c138434c4bd626dedc309fa0fc57b5588ef2cd4e483a9c0a099874622f0d 331060 keystone_2013.1.1.orig.tar.xz
 b46e1dfa2c4d1ed8758ad9e466c09670148050716d20c649df7f5d53274d4f32 237293 keystone_2013.1.1-2.debian.tar.gz
 cc54dfe5d4ef51cc3b1c0e9fc3e3c7aa71c6e8c12ab3710b2c46caa187b7ba6e 336232 python-keystone_2013.1.1-2_all.deb
 5c2d86e51101804638adb49243df87141ebe0cb06d8eb020d49a23673a7eb3c3 246148 keystone_2013.1.1-2_all.deb
 506dd7091866af133770bcba8f17dcafcd27d358d45a63002e677bad2e4f31b7 522588 keystone-doc_2013.1.1-2_all.deb
Files: 
 0d7e7c4eef5d34b7f2a1c397f8a27587 2292 net extra keystone_2013.1.1-2.dsc
 773671edbb4af2b11d7162afa9f95487 331060 net extra keystone_2013.1.1.orig.tar.xz
 e97659bf07d75480bb61ef00e2282d12 237293 net extra keystone_2013.1.1-2.debian.tar.gz
 20b4ed91ef36c00755d3ecece4d01e87 336232 python extra python-keystone_2013.1.1-2_all.deb
 0d1871c7b8c69bbcf1f981c4d2586071 246148 python extra keystone_2013.1.1-2_all.deb
 b13e4fe2f8bcd680f7905f6eeb682af2 522588 doc extra keystone-doc_2013.1.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGUhKoACgkQl4M9yZjvmkn7GACg2GTdj8HieWHaBNUji34zq08A
LHkAoLKS4y+kOw3VUvi2m3fwdx9SKSWU
=Dfij
-----END PGP SIGNATURE-----

Message #20 received at 707598-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 707598-close@bugs.debian.org

Subject: Bug#707598: fixed in keystone 2012.1.1-13+wheezy1

Date: Wed, 29 May 2013 19:17:05 +0000

Source: keystone
Source-Version: 2012.1.1-13+wheezy1

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 707598@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 10 May 2013 10:09:14 +0800
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2012.1.1-13+wheezy1
Distribution: wheezy-proposed-updates
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python-keystone - OpenStack identity service - library
Closes: 707598
Changes: 
 keystone (2012.1.1-13+wheezy1) wheezy-proposed-updates; urgency=low
 .
   * CVE-2013-2059: Keystone tokens not immediately invalidated when user is
     deleted [OSSA 2013-011]. Added backported to Essex patch which I picked-up
     from Launchpad. Thanks to the Canonical security team (Closes: #707598).
Checksums-Sha1: 
 b587bb64812f6009b1078688df30567e33d92d49 1934 keystone_2012.1.1-13+wheezy1.dsc
 4b57ee6ea66100f210af048c78be9c973495d7e5 31781 keystone_2012.1.1-13+wheezy1.debian.tar.gz
 ef702dfdd70236e0017dc6258a1849ec301f948a 93018 python-keystone_2012.1.1-13+wheezy1_all.deb
 4dac74564c69b83581a96f912da1c5c52d4c4ccd 18598 keystone_2012.1.1-13+wheezy1_all.deb
 691eacf79a4466245c4ba2493593116d27abd853 240726 keystone-doc_2012.1.1-13+wheezy1_all.deb
Checksums-Sha256: 
 a584cf246c9494d42c02a6b027cfd47aba7ea22b94165c0bd0f74088b1ef2f73 1934 keystone_2012.1.1-13+wheezy1.dsc
 f28e58ad86ec74574d7074a82c2e2ea2b57dd2780d1470183924731ef49f819e 31781 keystone_2012.1.1-13+wheezy1.debian.tar.gz
 577643df7eada634af514a139a126f13b5d0826bf86ff0fa91dcc8a57b9fea7b 93018 python-keystone_2012.1.1-13+wheezy1_all.deb
 4c627e71a1a5dd6fe4a1007eef7b8815e41047637db17c5204ec78a65bb3e0c9 18598 keystone_2012.1.1-13+wheezy1_all.deb
 6d067d97dc0fc7d7c7e36c6036418b4e2260aae22986ad5d2a9b4dbe5fe111f7 240726 keystone-doc_2012.1.1-13+wheezy1_all.deb
Files: 
 d6649038cd86b0fef3a76c0b4071a47c 1934 net extra keystone_2012.1.1-13+wheezy1.dsc
 cfb036cd33e8b76b89b656667b372755 31781 net extra keystone_2012.1.1-13+wheezy1.debian.tar.gz
 d575f43d18e2836467dfd653e9950281 93018 python extra python-keystone_2012.1.1-13+wheezy1_all.deb
 512ce6c7ce9242843f0e9b7fb03cd90e 18598 python extra keystone_2012.1.1-13+wheezy1_all.deb
 4bf57bdfa4f80066c797ba86d8bb9a6d 240726 doc extra keystone-doc_2012.1.1-13+wheezy1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGMXhQACgkQl4M9yZjvmkkKcACgqoMWrO6neo6SCiXIv8GGZ9xy
+JkAoJn/eeIrKdLdrhoF47CZOWDEAiz+
=A3yO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.