[ubuntu/quantal-security] keystone 2012.2.4-0ubuntu3.1 (Accepted)
Jamie Strandboge
jamie at ubuntu.com
Fri Jun 14 02:32:18 UTC 2013
keystone (2012.2.4-0ubuntu3.1) quantal-security; urgency=low
* SECURITY UPDATE: fix auth_token middleware neglects to check expiry of
signed token when using PKI
- debian/patches/CVE-2013-2104.patch: explicitly check the expiry on the
tokens, and reject tokens that have expired. Also update test data
- CVE-2013-2104
- LP: #1179615
* debian/patches/fix-testsuite-for-2038-problem.patch: Adjust json example
cert data to use 2037 instead of 2112 and regenerate the certs. Also
adjust token expiry data to use 2037 instead of 2999.
* SECURITY UPDATE: fix authentication bypass when using LDAP backend
- debian/patches/CVE-2013-2157.patch: identity/backends/ldap/core.py is
adjusted to raise an assertion for invalid password when using LDAP and
an empty password is submitted
- CVE-2013-2157
- LP: #1187305
keystone (2012.2.4-0ubuntu3) quantal-proposed; urgency=low
* debian/patches/update_certs.patch: Fix FTBFS. Original SSL certs
for test suite expired May 18 2013. Cherry-picked regenerated certs
from stable/folsom commit c14f2789.
keystone (2012.2.4-0ubuntu2) quantal-proposed; urgency=low
* Rebase on latest security fixes.
* SECURITY UPDATE: delete user token immediately upon delete when using v2
API
- CVE-2013-2059.patch: adjust keystone/identity/core.py to call
token_api.delete_token() during delete. Also update test suite.
- CVE-2013-2059
- LP: #1166670
keystone (2012.2.4-0ubuntu1) quantal-proposed; urgency=low
* Dropped patches, applied upstream:
- debian/patches/CVE-2013-1865.patch: [255b1d4]
- debian/patches/CVE-2013-0282.patch: [f0b4d30]
- debian/patches/CVE-2013-1664+1665.patch: [8a22745]
* Resynchronize with stable/folsom (09f28020) (LP: #1179707):
- [5ea4fcf] V2 API reported at Beta LP: 1135230
- [1889299] PKI-signed token hash saved as token ID for SQL backend only
LP: 1073272
- [40660f0] Key PKI tokens on hash in memcached for auth_token middleware
LP: 1073343
- [b3ce6a7] Use the right subprocess based on os monkeypatch
- [bb1ded0] keystone-all --config-dir is being ignored LP: 1101129
- [9e0a97d] Temporary network outage results in connection refused and
invalid token LP: 1150299
- [255b1d4] Validation of PKI tokens bypasses revocation check LP: 1129713
- [8690166] PKI tokens are broken after 24 hours LP: 1074172
- [790c87e] PKI tokens are broken after 24 hours LP: 1074172
- [f0b4d30] EC2 authentication does not ensure user or tenant is enabled
LP: 1121494
- [8a22745] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
Date: 2013-06-13 19:10:17.653943+00:00
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
https://launchpad.net/ubuntu/quantal/+source/keystone/2012.2.4-0ubuntu3.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Quantal-changes
mailing list