keystone: CVE-2014-3476: privilege escalation through trust chained delegation

Debian Bug report logs - #751454
keystone: CVE-2014-3476: privilege escalation through trust chained delegation

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: keystone: CVE-2014-3476: privilege escalation through trust chained delegation

Date: Fri, 13 Jun 2014 06:44:44 +0200

Source: keystone
Severity: grave
Tags: security upstream patch
Justification: user security hole

Hi Thomas,

As you might know, the following vulnerability was published for
keystone.

CVE-2014-3476[0]:
privilege escalation through trust chained delegation

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-3476
[1 ]http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html

Please adjust the affected versions in the BTS as needed. From the
advisory at least all version up to 2013.2.3, and 2014.1 to 2014.1.1
are affected.

Regards and thanks for your work,
Salvatore

Message #12 received at 751454-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 751454-close@bugs.debian.org

Subject: Bug#751454: fixed in keystone 2014.1.1-2

Date: Fri, 13 Jun 2014 10:48:56 +0000

Source: keystone
Source-Version: 2014.1.1-2

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 751454@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 13 Jun 2014 17:30:08 +0800
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2014.1.1-2
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python-keystone - OpenStack identity service - library
Closes: 751454
Changes:
 keystone (2014.1.1-2) unstable; urgency=high
 .
   * CVE-2014-3476: privilege escalation through trust chained delegation.
     Applied upstream patch. (Closes: #751454).
Checksums-Sha1:
 30cd367bb0b76febc7361c4973c570c74d969005 3531 keystone_2014.1.1-2.dsc
 ee129c87622e7c487e493a2fa868788cfdf8421a 206388 keystone_2014.1.1-2.debian.tar.xz
 13fa9b6ce4d34d4bba86e6081ed6e62b9ddd9642 633510 python-keystone_2014.1.1-2_all.deb
 3f0badef0025a9c0dd23c1714fb61adaab420751 273348 keystone_2014.1.1-2_all.deb
 8945ea5e533099c7357e718a965175852908496b 451108 keystone-doc_2014.1.1-2_all.deb
Checksums-Sha256:
 4e244372e71bfd8668bef8bc120d809e77123bb32e170a1d453477a92875b7d7 3531 keystone_2014.1.1-2.dsc
 d3f23c026d9f81f70aa01e93ae69c1e96459ed9500d4e93ce5d08f00205493a9 206388 keystone_2014.1.1-2.debian.tar.xz
 0dcf3ffcf2ca10fe63039d308e69c1f7c484b756d17b9346c50089e16bcce0e6 633510 python-keystone_2014.1.1-2_all.deb
 41a917ebc4770fd6cfec203e47caadb7491d7570d072b35a2887ac873fc58664 273348 keystone_2014.1.1-2_all.deb
 cc297832089d66b4fed2b882f3fe9dd44b66476aa286ee32b278bbbc9f419207 451108 keystone-doc_2014.1.1-2_all.deb
Files:
 333133a87eeea7e58ab2204b8e17d289 633510 python extra python-keystone_2014.1.1-2_all.deb
 f30e0d87d38944d123f66c89c935da8a 273348 python extra keystone_2014.1.1-2_all.deb
 0cd3fe7b17b2c0ae267b881b2144ba12 451108 doc extra keystone-doc_2014.1.1-2_all.deb
 cec658a0b854909eeddbd4b98402ff4c 3531 net extra keystone_2014.1.1-2.dsc
 cd043f092e6d6e7fabbe403525413e67 206388 net extra keystone_2014.1.1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTmtSJAAoJENQWrRWsa0P+rFAP/ixtrGmm/3Nd3JycsR5tiLbj
A5Ijbvu0jmBVCQpv+wV/o2LqZu0tamIRDW2b597aU+qbdTTOcDTNxKSLgv5v9UCv
POyBT9p8xr4Fe0p464nehylSoYtCyQ0miCvSzBZ2T2qEMI8Vp2AQ1GnHWpV13zkO
aYbXj+lSa9MGiAXgucnmTZNbDy+kVv/xnNRn2hPCI4VckhXlhuS5j0vmxSnMzCq2
5TlHwdsG45w4EQh8xbOQRD+ZpbnEt0bVS/8SiJ8zpyXyVw5qlbVD8Jq0uM4qADyE
khrj4FVX5P70JvrQgMN7p0mprQ1OoXfgj7e5se7gFvS5LhpLSS+i1GXIvW6jW031
06gI4tv5Es8dM0vvyN0RLlAhbwW9o0WwX/o/jRUEB+TSIV0SNzxG5e3V1mFAL4iq
dgtrHbgr2+bAikD+aYxeXcEQU3pDuMRCpTz6vRXarWxW9JQ14VjBf2M6Sh6PooHd
5seKL1aVUeTwtVkNAMSaXQBG92qnoscOQQqJiuS09Q+JYKIAha3QDj6Awp0swhPm
E51ny5RhsDkJOypa8VZX9hPDl86HfLcCS4yr2v1F7CCqwdLCOk663QsFbhvOBBMW
WAADw2ADev1JpEQf0sQ+utVRgCKb+B+HHegpoCYYZQX0lzLTdxWGsMT4HBCsFO5t
x3frKHr63GaqKGD4qjLI
=agyG
-----END PGP SIGNATURE-----

Message #17 received at 751454@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: security@debian.org, 751454@bugs.debian.org

Subject: Re: [PKG-Openstack-devel] Bug#751454: keystone: CVE-2014-3476: privilege escalation through trust chained delegation

Date: Fri, 13 Jun 2014 18:51:27 +0800

On 06/13/2014 12:44 PM, Salvatore Bonaccorso wrote:
> Source: keystone
> Severity: grave
> Tags: security upstream patch
> Justification: user security hole
> 
> Hi Thomas,
> 
> As you might know, the following vulnerability was published for
> keystone.
> 
> CVE-2014-3476[0]:
> privilege escalation through trust chained delegation
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2014-3476
> [1 ]http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html
> 
> Please adjust the affected versions in the BTS as needed. From the
> advisory at least all version up to 2013.2.3, and 2014.1 to 2014.1.1
> are affected.
> 
> Regards and thanks for your work,
> Salvatore

Hi Salvatore,

Thanks for the update. I received the pre-OSSA, but didn't find the time
to address it before now.

I just uploaded the fix for Sid with urgency=high.

As much as I can tell, the Wheezy version isn't affected. None of the
source code patched is present in the Essex version of Keystone. This is
also what the OSSA tells.

I have updated the BTS, I believe I don't have the credentials for the
security-tracker. Please mark Wheezy as unaffected, and sid as fixed in
version 2014.1.1-2.

Cheers,

Thomas Goirand (zigo)

Message #22 received at 751454@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Goirand <zigo@debian.org>

Cc: security@debian.org, 751454@bugs.debian.org

Subject: Re: [PKG-Openstack-devel] Bug#751454: keystone: CVE-2014-3476: privilege escalation through trust chained delegation

Date: Fri, 13 Jun 2014 13:08:52 +0200

Hi Thomas,

On Fri, Jun 13, 2014 at 06:51:27PM +0800, Thomas Goirand wrote:
> On 06/13/2014 12:44 PM, Salvatore Bonaccorso wrote:
> > Source: keystone
> > Severity: grave
> > Tags: security upstream patch
> > Justification: user security hole
> > 
> > Hi Thomas,
> > 
> > As you might know, the following vulnerability was published for
> > keystone.
> > 
> > CVE-2014-3476[0]:
> > privilege escalation through trust chained delegation
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2014-3476
> > [1 ]http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html
> > 
> > Please adjust the affected versions in the BTS as needed. From the
> > advisory at least all version up to 2013.2.3, and 2014.1 to 2014.1.1
> > are affected.
> > 
> > Regards and thanks for your work,
> > Salvatore
> 
> Hi Salvatore,
> 
> Thanks for the update. I received the pre-OSSA, but didn't find the time
> to address it before now.
> 
> I just uploaded the fix for Sid with urgency=high.

Thanks!
> 
> As much as I can tell, the Wheezy version isn't affected. None of the
> source code patched is present in the Essex version of Keystone. This is
> also what the OSSA tells.
> 
> I have updated the BTS, I believe I don't have the credentials for the
> security-tracker. Please mark Wheezy as unaffected, and sid as fixed in
> version 2014.1.1-2.

Ok, thanks for checking here. I just have marked wheezy as not
affected in the tracker.

Regards,
Salvatore

Send a report that this bug log contains spam.