keystone: CVE-2013-0247: Keystone denial of service through invalid token requests

Debian Bug report logs - #699835
keystone: CVE-2013-0247: Keystone denial of service through invalid token requests

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: keystone: CVE-2013-0247: Keystone denial of service through invalid token requests

Date: Tue, 05 Feb 2013 19:41:19 +0100

Package: keystone
Severity: grave
Tags: security
Justification: user security hole

Hi,

the following vulnerability was published for keystone.

CVE-2013-0247[0]:
Keystone denial of service through invalid token requests

Patches should be available via [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0247
    http://security-tracker.debian.org/tracker/CVE-2013-0247
[1] https://lists.launchpad.net/openstack/msg20689.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 699835-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 699835-close@bugs.debian.org

Subject: Bug#699835: fixed in keystone 2012.1.1-12

Date: Wed, 06 Feb 2013 02:47:37 +0000

Source: keystone
Source-Version: 2012.1.1-12

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699835@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 06 Feb 2013 09:52:07 +0800
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2012.1.1-12
Distribution: unstable
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python-keystone - OpenStack identity service - library
Closes: 699835
Changes: 
 keystone (2012.1.1-12) unstable; urgency=low
 .
   * CVE-2013-0247: Keystone denial of service through invalid token requests
     (Closes: #699835).
Checksums-Sha1: 
 ba2661a72d48f45f124587b39cdeded4f732d355 1902 keystone_2012.1.1-12.dsc
 0af6cb8d28c1eb27de93de6f05811ac89ec3cb85 28470 keystone_2012.1.1-12.debian.tar.gz
 3eb0bc1365fc5e6b3156c4a645da7629870a5b0a 93240 python-keystone_2012.1.1-12_all.deb
 8c4176ff456128f38f0e27ff44a794fa5862ae36 18338 keystone_2012.1.1-12_all.deb
 ae54d6fef3f4e26ebed9963ea6306d505a7e57c7 240660 keystone-doc_2012.1.1-12_all.deb
Checksums-Sha256: 
 47bba32c1a5277b777e6c73a3d315763c1cdf38362e5b53ccc5499d1050ca48e 1902 keystone_2012.1.1-12.dsc
 2d8720e327c3786eeaa5b86123d75b0a3b722e5174ac1595bd517f49f63e0142 28470 keystone_2012.1.1-12.debian.tar.gz
 82b86448682e9f0e39050188a211e174bf04d0f2d9642d0619d43881537ac9a9 93240 python-keystone_2012.1.1-12_all.deb
 6315d40686c0e5a9f86e644047852545ffce182c1ebcb49ab77d14583020c7a6 18338 keystone_2012.1.1-12_all.deb
 8f3a5198079cc32c2b5271dd2b767ec9ebce242f2af36740051a449db48592ac 240660 keystone-doc_2012.1.1-12_all.deb
Files: 
 7491ad50b55b820ef5d2b5286d57940b 1902 net extra keystone_2012.1.1-12.dsc
 c3070057b6d53ab34046d6e64adae352 28470 net extra keystone_2012.1.1-12.debian.tar.gz
 c992d48a0b03346b265b0f3834a1a727 93240 python extra python-keystone_2012.1.1-12_all.deb
 31a38d32e66abfc5c249a8c923336b74 18338 python extra keystone_2012.1.1-12_all.deb
 e5a6f2a61b94fd36dc92a425b9ab810d 240660 doc extra keystone-doc_2012.1.1-12_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlERuG0ACgkQl4M9yZjvmkkdAgCg1wKTmombFWVPsjiAwOxge0wJ
h8YAoIaGyVYXESI6m6jP966PrfWxyn/c
=+ES/
-----END PGP SIGNATURE-----

Message #15 received at 699835@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>

To: OpenStack Development Mailing List <openstack-dev@lists.openstack.org>, 699835@bugs.debian.org

Subject: Re: [openstack-dev] Essex patch for CVE-2013-0270

Date: Wed, 13 Feb 2013 22:27:05 +0800

On 02/12/2013 12:11 AM, Thierry Carrez wrote:
> Dolph Mathews wrote:
>> Dan Prince also wrote a more specific fix for the same issue and
>> backported it to essex here:
>> https://bugs.launchpad.net/keystone/+bug/1098307
> 
> Indeed, we didn't backport the size-limiting middleware because we don't
> backport new features as part of security vulnerability fixes (following
> what distributions security teams accept).
> 
> As mentioned in the advisory, the fix for CVE-2013-0270 in Essex is here:
> https://review.openstack.org/#/c/21216/

I'm quite confused now.

We have CVE-2013-0247 and CVE-2013-0270. Aren't these the same problem?
Patches are conflicting and doing approximately the same in different ways.

Thomas

Message #26 received at 699835-done@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 699835-done@bugs.debian.org

Subject: Done, already fixed

Date: Thu, 28 Feb 2013 14:03:22 +0800

Hi,

Upstream have confirmed that this was a duplicate CVE, so this bug can
be closed.

Thomas

Send a report that this bug log contains spam.