Debian Bug report logs -
#712160
keystone: CVE-2013-2157 - authentication bypass when using LDAP backend
Reported by: Yves-Alexis Perez <corsac@debian.org>
Date: Thu, 13 Jun 2013 16:33:01 UTC
Severity: grave
Tags: security
Fixed in version keystone/2013.1.2-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#712160; Package keystone.
(Thu, 13 Jun 2013 16:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Thu, 13 Jun 2013 16:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: keystone
Severity: grave
Tags: security
Justification: user security hole
Hi,
a vulnerability was recently reported against keystone. See
http://article.gmane.org/gmane.comp.security.oss.general/10412 for the
detailed mail.
Please include the CVE number in the changelog entry when uploading, and
please contact the security team for uploads targetting stable/oldstable
if needed.
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.9-1-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#712160; Package keystone.
(Thu, 13 Jun 2013 17:30:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Prach Pongpanich <prachpub@gmail.com>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Thu, 13 Jun 2013 17:30:07 GMT) (full text, mbox, link).
Message #10 received at 712160@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, Jun 13, 2013 at 11:29 PM, Yves-Alexis Perez <corsac@debian.org> wrote:
> Package: keystone
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
>
> a vulnerability was recently reported against keystone. See
> http://article.gmane.org/gmane.comp.security.oss.general/10412 for the
> detailed mail.
>
> Please include the CVE number in the changelog entry when uploading, and
> please contact the security team for uploads targetting stable/oldstable
> if needed.
>
> Regards,
Thanks Yves-Alexis!
I'm attaching the patches for both the Wheezy and Unstable versions
of Keystone (Folsom and Grizzly, respectively).
Regrads,
Prach
[CVE-2013-2157_folsom_Authentication_bypass_when_using_LDAP_backend.patch (application/octet-stream, attachment)]
[CVE-2013-2157_grizzly_Authentication_bypass_when_using_LDAP_backend.patch (application/octet-stream, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 16 Jun 2013 18:24:05 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer.
(Sun, 16 Jun 2013 18:24:05 GMT) (full text, mbox, link).
Message #15 received at 712160-done@bugs.debian.org (full text, mbox, reply):
Source: keystone
Source-Version: 2013.1.2-1
Hi Thomas
On Thu, Jun 13, 2013 at 06:29:09PM +0200, Yves-Alexis Perez wrote:
> Package: keystone
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
>
> a vulnerability was recently reported against keystone. See
> http://article.gmane.org/gmane.comp.security.oss.general/10412 for the
> detailed mail.
>
> Please include the CVE number in the changelog entry when uploading, and
> please contact the security team for uploads targetting stable/oldstable
> if needed.
Looks like the patch was applied to 2013.1.2-1 but this bug not
closed. Doing so manually now.
Regards,
Salvatore
Message #16 received at 712160-done@bugs.debian.org (full text, mbox, reply):
On 06/17/2013 02:20 AM, Salvatore Bonaccorso wrote:
> Source: keystone
> Source-Version: 2013.1.2-1
>
> Hi Thomas
>
> On Thu, Jun 13, 2013 at 06:29:09PM +0200, Yves-Alexis Perez wrote:
>> Package: keystone
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Hi,
>>
>> a vulnerability was recently reported against keystone. See
>> http://article.gmane.org/gmane.comp.security.oss.general/10412 for the
>> detailed mail.
>>
>> Please include the CVE number in the changelog entry when uploading, and
>> please contact the security team for uploads targetting stable/oldstable
>> if needed.
>
> Looks like the patch was applied to 2013.1.2-1 but this bug not
> closed. Doing so manually now.
>
> Regards,
> Salvatore
>
That's correct, thanks for doing so!
Thomas
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Apr 2015 07:45:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:10:16 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon