[ubuntu/impish-security] barbican 2:13.0.0-0ubuntu1.2 (Accepted)
Rodrigo Figueiredo Zaiden
rodrigo.zaiden at canonical.com
Mon Apr 25 14:33:21 UTC 2022
barbican (2:13.0.0-0ubuntu1.2) impish-security; urgency=medium
* SECURITY UPDATE: Access restrictions bypass
- debian/patches/CVE-2022-23451-1.patch: Change access policies to
secret metadata in barbican/common/policies/secretmeta.py. Add a new
role in barbican/common/policies/base.py and make use of these changes
in barbican/api/controllers/__init__.py,
barbican/api/controllers/secretmeta.py and
barbican/api/controllers/secrets.py.
- debian/patches/CVE-2022-23451-2.patch: Fix secure RBAC rules in
barbican/common/policies/secretmeta.py
- debian/patches/CVE-2022-23451-post1.patch: Change consumer controller
code in barbican/api/controllers/*, change policy rules in
barbican/common/policies/consumers.py and add tests in
barbican/tests/api/test_resources_policy.py and
functionaltests/api/v1/functional/test_acls.py.
- debian/patches/CVE-2022-23451-post2.patch: Change secret policies in
barbican/common/policies/secrets.py, add tests in
barbican/tests/api/test_resources_policy.py and
functionaltests/api/v1/functional/test_secrets_rbac.py and update
api guide in api-guide/source/acls.rst.
- CVE-2022-23451
* SECURITY UPDATE: Ownership bypass
- debian/patches/CVE-2022-23452.patch: Update container secret policies
in barbican/common/policies/containers.py and add a new role in
barbican/common/policies/base.py.
- CVE-2022-23452
Date: 2022-04-20 20:17:11.416948+00:00
Changed-By: Rodrigo Figueiredo Zaiden <rodrigo.zaiden at canonical.com>
https://launchpad.net/ubuntu/+source/barbican/2:13.0.0-0ubuntu1.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the impish-changes
mailing list