Debian Bug report logs -
#713819
python-keystoneclient: CVE-2013-2166 CVE-2013-2167: Issues in Keystone middleware memcache signing/encryption feature
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 22 Jun 2013 20:54:02 UTC
Severity: grave
Tags: patch, security, upstream
Fixed in version python-keystoneclient/1:0.2.5-2
Done: Prach Pongpanich <prachpub@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#713819; Package python-keystoneclient.
(Sat, 22 Jun 2013 20:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Sat, 22 Jun 2013 20:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-keystoneclient
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerabilities were published for python-keystoneclient.
CVE-2013-2166[0]:
middleware memcache encryption bypass
CVE-2013-2167[1]:
middleware memcache signing bypass
See [2] for further reference.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2166
http://security-tracker.debian.org/tracker/CVE-2013-2166
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2167
http://security-tracker.debian.org/tracker/CVE-2013-2167
[2] http://marc.info/?l=oss-security&m=137165644225629&w=2
According to the advisory it should affect only upstream 0.2.3 to 0.2.5.
Could you please doublecheck this and adjust found version for the BTS?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#713819; Package python-keystoneclient.
(Sun, 23 Jun 2013 05:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Prach Pongpanich <prachpub@gmail.com>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Sun, 23 Jun 2013 05:03:04 GMT) (full text, mbox, link).
Message #10 received at 713819@bugs.debian.org (full text, mbox, reply):
On Sun, Jun 23, 2013 at 3:52 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Package: python-keystoneclient
> Severity: grave
> Tags: security upstream patch
>
> Hi,
>
> the following vulnerabilities were published for python-keystoneclient.
>
> CVE-2013-2166[0]:
> middleware memcache encryption bypass
>
> CVE-2013-2167[1]:
> middleware memcache signing bypass
>
> See [2] for further reference.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
Hi,
I've committed to fix this bug [1].
[1] http://anonscm.debian.org/gitweb/?p=openstack/python-keystoneclient.git
Regrads,
Prach
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#713819; Package python-keystoneclient.
(Sun, 23 Jun 2013 12:51:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Sun, 23 Jun 2013 12:51:10 GMT) (full text, mbox, link).
Message #15 received at 713819@bugs.debian.org (full text, mbox, reply):
On 06/23/2013 01:01 PM, Prach Pongpanich wrote:
> On Sun, Jun 23, 2013 at 3:52 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>> Package: python-keystoneclient
>> Severity: grave
>> Tags: security upstream patch
>>
>> Hi,
>>
>> the following vulnerabilities were published for python-keystoneclient.
>>
>> CVE-2013-2166[0]:
>> middleware memcache encryption bypass
>>
>> CVE-2013-2167[1]:
>> middleware memcache signing bypass
>>
>> See [2] for further reference.
>>
>> If you fix the vulnerabilities please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>>
>
> Hi,
>
> I've committed to fix this bug [1].
>
> [1] http://anonscm.debian.org/gitweb/?p=openstack/python-keystoneclient.git
>
> Regrads,
> Prach
Thanks. Uploaded.
Though I've noticed that some of the unit tests are failing after
applying the patch (3 failures). I don't know if that is expected or
not... though for what I'm doing, the client worked (keystone
service-list, keystone tenant-list, etc. worked)
Thomas
Reply sent
to Prach Pongpanich <prachpub@gmail.com>:
You have taken responsibility.
(Sun, 23 Jun 2013 12:51:25 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 23 Jun 2013 12:51:25 GMT) (full text, mbox, link).
Message #20 received at 713819-close@bugs.debian.org (full text, mbox, reply):
Source: python-keystoneclient
Source-Version: 1:0.2.5-2
We believe that the bug you reported is fixed in the latest version of
python-keystoneclient, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 713819@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Prach Pongpanich <prachpub@gmail.com> (supplier of updated python-keystoneclient package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 23 Jun 2013 11:54:52 +0700
Source: python-keystoneclient
Binary: python-keystoneclient
Architecture: source all
Version: 1:0.2.5-2
Distribution: unstable
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Prach Pongpanich <prachpub@gmail.com>
Description:
python-keystoneclient - client library for the OpenStack Keystone API
Closes: 713819
Changes:
python-keystoneclient (1:0.2.5-2) unstable; urgency=low
.
* Add Fix-memcache-encryption-middleware.patch (Closes: #713819)
[OSSA 2013-017] Keystone middleware memcache signing/encryption feature
(CVE-2013-2166 and CVE-2013-2167)
Checksums-Sha1:
44e85f0384f55a3e5b135cf8431982ddddad584c 1776 python-keystoneclient_0.2.5-2.dsc
31c0d9c89fe78af037c7a3e77b659697b0646b66 36401 python-keystoneclient_0.2.5-2.debian.tar.gz
7b04954ec92feb7a7ef5c199e956c4429426f54f 82292 python-keystoneclient_0.2.5-2_all.deb
Checksums-Sha256:
9542240a152d0d1cf88c89569adcfd63caa774ca4efc9da6da829ae9a66f20e4 1776 python-keystoneclient_0.2.5-2.dsc
9ce930c74fa9fdf687533515f51a51c988e7bd1cdc25c457493bebc03cc693b0 36401 python-keystoneclient_0.2.5-2.debian.tar.gz
77cd2f2665bd02f233048494a6d3f176ca3f3a2c2bcee6724c80948061fc9094 82292 python-keystoneclient_0.2.5-2_all.deb
Files:
3a28f1a6995d0e76dcbe844a50e9d80c 1776 python extra python-keystoneclient_0.2.5-2.dsc
777a1a04ee0c694786b29c279b45089d 36401 python extra python-keystoneclient_0.2.5-2.debian.tar.gz
36689855748341798e3f19557b3fd020 82292 python extra python-keystoneclient_0.2.5-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlHG7pMACgkQl4M9yZjvmkmWKwCfQX/qqGtjizGBMgxRy/EoB2ji
rbYAn16mf0dDWv4X/A/VNJy5X8icON0o
=uGWG
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 13 Oct 2013 07:27:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:41:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon