Debian Bug report logs -
#700947
CVE-2013-0282: Ensure EC2 users and tenant are enabled
Reported by: Thomas Goirand <zigo@debian.org>
Date: Tue, 19 Feb 2013 16:03:02 UTC
Severity: grave
Tags: security
Found in version keystone/2012.1.1-12
Fixed in versions keystone/2012.1.1-13, keystone/2012.2.3-1
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#700947; Package keystone.
(Tue, 19 Feb 2013 16:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Tue, 19 Feb 2013 16:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: keystone
Version: 2012.1.1-12
Severity: grave
Tags: security
Nathanael Burton reported a vulnerability in EC2-style authentication in
Keystone. Keystone fails to check whether a user, tenant, or domain is enabled
before authenticating a user using the EC2 api. Authenticated, but disabled
users (or authenticated users in disabled tenants or domains) could therefore
retain access rights that were thought removed. Only setups enabling EC2-style
authentication are affected. To disable EC2-style authentication to work
around the issue, remove the EC2 extension from the keystone API pipeline in
keystone.conf.
Patched version is ready, upload is comming.
Thomas Goirand (zigo)
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Tue, 19 Feb 2013 16:21:11 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Tue, 19 Feb 2013 16:21:11 GMT) (full text, mbox, link).
Message #10 received at 700947-close@bugs.debian.org (full text, mbox, reply):
Source: keystone
Source-Version: 2012.1.1-13
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 700947@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 19 Feb 2013 12:56:42 +0800
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2012.1.1-13
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
keystone - OpenStack identity service
keystone-doc - OpenStack identity service - documentation
python-keystone - OpenStack identity service - library
Closes: 700947 700948
Changes:
keystone (2012.1.1-13) unstable; urgency=high
.
* CVE-2013-0282: Ensure EC2 users and tenant are enabled (Closes: #700947).
* CVE-2013-0280: Information leak and Denial of Service using XML entities
(Closes: #700948).
Checksums-Sha1:
a72acb4d855b356d6bd6f1a1ffd737e6c32e10ce 1902 keystone_2012.1.1-13.dsc
4f085537b9a6344138c8df4e00ae25e797eb57c4 30496 keystone_2012.1.1-13.debian.tar.gz
d3f610d137ec2452308db923ebe3f894b8c65028 93616 python-keystone_2012.1.1-13_all.deb
f33f5949c79ccf86d5596b5db7ad8cdceb0cd5bb 18424 keystone_2012.1.1-13_all.deb
16377085b28d849a40e0a29f4bb3aec22b1ff80b 240718 keystone-doc_2012.1.1-13_all.deb
Checksums-Sha256:
3c1f5d8352a9057bf66e6a420a7e7c0ae58930a21f43806122503dc0ff9e2345 1902 keystone_2012.1.1-13.dsc
01a1c9740f7ac62464d989e7b96f1becbd1d11d91f517588c5dfad47a6d16243 30496 keystone_2012.1.1-13.debian.tar.gz
bd6387a02831a20a60af94132cec26548266ab9bbfa9b88bfdf94bdbbf09b843 93616 python-keystone_2012.1.1-13_all.deb
2d0ec64df0487b6fadcd31671e2a366ff02b2d7c61e19e6182e7a75ee82ff0d4 18424 keystone_2012.1.1-13_all.deb
94b86d5962cbea7b4ecbe1f38ffa632f8def67a1650ecf81fa82a95cb9434d78 240718 keystone-doc_2012.1.1-13_all.deb
Files:
4e0821b5b54502df2f96b13cb1c3536a 1902 net extra keystone_2012.1.1-13.dsc
442be04bcc7ce1a03b9085609761c5ba 30496 net extra keystone_2012.1.1-13.debian.tar.gz
c517ef72bfc29065610d21df894cfc61 93616 python extra python-keystone_2012.1.1-13_all.deb
df630fa8b82b521504ac5876077570b0 18424 python extra keystone_2012.1.1-13_all.deb
20a602f2aa1456f32dfaf6a1611d8bfe 240718 doc extra keystone-doc_2012.1.1-13_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlEjpLgACgkQl4M9yZjvmkkvYwCdGBnQZYurQI40PPwDoV0p3IH5
aH0AoI5SGkvgwq3yNdOxgTlMErQv+uOK
=cG5a
-----END PGP SIGNATURE-----
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Tue, 19 Feb 2013 16:33:08 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Tue, 19 Feb 2013 16:33:09 GMT) (full text, mbox, link).
Message #15 received at 700947-close@bugs.debian.org (full text, mbox, reply):
Source: keystone
Source-Version: 2012.2.3-1
We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 700947@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 03 Feb 2013 11:05:36 +0800
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2012.2.3-1
Distribution: experimental
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
keystone - OpenStack identity service
keystone-doc - OpenStack identity service - documentation
python-keystone - OpenStack identity service - library
Closes: 700947 700948
Changes:
keystone (2012.2.3-1) experimental; urgency=low
.
* New upstream release.
* CVE-2013-0247: Keystone denial of service through invalid token requests.
* CVE-2013-0282 Keystone EC2-style authentication accepts disabled
user/tenants (Closes: #700947).
* CVE-2013-0280: Information leak and Denial of Service using XML entities
(Closes: #700948)
Checksums-Sha1:
9acf1652d1989c833d69f10ad431cb0fc0f82925 2063 keystone_2012.2.3-1.dsc
2df5ca9145991d87612cca7748b12f222d065173 190520 keystone_2012.2.3.orig.tar.xz
4134835abc53dac6d36740aa34dbd104db8462f3 240672 keystone_2012.2.3-1.debian.tar.gz
ebd1f2419211738c56d63b294ca0d0d0d825472c 305764 python-keystone_2012.2.3-1_all.deb
bc9836c94ecf49a9721dcca6bd91d619f3f704b1 240294 keystone_2012.2.3-1_all.deb
dd14888fd0bc2dc644b4b8bd6d6c554c3aa04758 300612 keystone-doc_2012.2.3-1_all.deb
Checksums-Sha256:
607a640cba1dcbeb4ab994019673a2be2a80792bbef46cd80f048fd3f48aaa68 2063 keystone_2012.2.3-1.dsc
044cdbe7417c6ce622ebcafb58db346dde752e5a725fdaff344592eac9ffaf84 190520 keystone_2012.2.3.orig.tar.xz
732f04cc70a53f660dea0242191b719c5717a6ee6496bb0ad88c20211ecb8bce 240672 keystone_2012.2.3-1.debian.tar.gz
455111646aaafeeec2b2e5a81a9dbfadd1069d860b17653ff09888a97f5fa348 305764 python-keystone_2012.2.3-1_all.deb
584b1f8b48ee797fc94345ba47c01f9c0caf4e39cf05e15793030e24ecc19f6b 240294 keystone_2012.2.3-1_all.deb
d62dcdab35704fd39c1667694ae49f8baee51b6ed68761fa36f43900690d3848 300612 keystone-doc_2012.2.3-1_all.deb
Files:
0d36f2de9db11b7cf961e7a33dde87ad 2063 net extra keystone_2012.2.3-1.dsc
9e241ae2f19e1819990ea7730d71a3dc 190520 net extra keystone_2012.2.3.orig.tar.xz
f9494d865d21f561b22b6dd6133096a8 240672 net extra keystone_2012.2.3-1.debian.tar.gz
bc31bcf95c428ea0bad3893eedc996a4 305764 python extra python-keystone_2012.2.3-1_all.deb
ba72d25068aec5a2f2b9ee5dd71a6426 240294 python extra keystone_2012.2.3-1_all.deb
d2d67e433e6852fc9cb6e33e5e90ff68 300612 doc extra keystone-doc_2012.2.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlEjpjYACgkQl4M9yZjvmkkXCwCg7kf/Avo3PtjcAcJuOkBjrozm
5a0AoIltM0vwwCXYH6En8fWbxosLYxnm
=ALAc
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 22 Mar 2013 07:26:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:48:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon