[ubuntu/quantal-security] keystone 2012.2.4-0ubuntu3.1 (Accepted)

Jamie Strandboge jamie at ubuntu.com
Fri Jun 14 02:32:18 UTC 2013 

keystone (2012.2.4-0ubuntu3.1) quantal-security; urgency=low

  * SECURITY UPDATE: fix auth_token middleware neglects to check expiry of
    signed token when using PKI
    - debian/patches/CVE-2013-2104.patch: explicitly check the expiry on the
      tokens, and reject tokens that have expired. Also update test data
    - CVE-2013-2104
    - LP: #1179615
  * debian/patches/fix-testsuite-for-2038-problem.patch: Adjust json example
    cert data to use 2037 instead of 2112 and regenerate the certs. Also
    adjust token expiry data to use 2037 instead of 2999.
  * SECURITY UPDATE: fix authentication bypass when using LDAP backend
    - debian/patches/CVE-2013-2157.patch: identity/backends/ldap/core.py is
      adjusted to raise an assertion for invalid password when using LDAP and
      an empty password is submitted
    - CVE-2013-2157
    - LP: #1187305

keystone (2012.2.4-0ubuntu3) quantal-proposed; urgency=low

  * debian/patches/update_certs.patch: Fix FTBFS.  Original SSL certs
    for test suite expired May 18 2013. Cherry-picked regenerated certs
    from stable/folsom commit c14f2789.

keystone (2012.2.4-0ubuntu2) quantal-proposed; urgency=low

  * Rebase on latest security fixes.
  * SECURITY UPDATE: delete user token immediately upon delete when using v2
    API
    - CVE-2013-2059.patch: adjust keystone/identity/core.py to call
      token_api.delete_token() during delete. Also update test suite.
    - CVE-2013-2059
    - LP: #1166670

keystone (2012.2.4-0ubuntu1) quantal-proposed; urgency=low

  * Dropped patches, applied upstream:
    - debian/patches/CVE-2013-1865.patch: [255b1d4]
    - debian/patches/CVE-2013-0282.patch: [f0b4d30]
    - debian/patches/CVE-2013-1664+1665.patch: [8a22745]
  * Resynchronize with stable/folsom (09f28020) (LP: #1179707):
    - [5ea4fcf] V2 API reported at Beta LP: 1135230
    - [1889299] PKI-signed token hash saved as token ID for SQL backend only
      LP: 1073272
    - [40660f0] Key PKI tokens on hash in memcached for auth_token middleware
      LP: 1073343
    - [b3ce6a7] Use the right subprocess based on os monkeypatch
    - [bb1ded0] keystone-all --config-dir is being ignored LP: 1101129
    - [9e0a97d] Temporary network outage results in connection refused and
      invalid token LP: 1150299
    - [255b1d4] Validation of PKI tokens bypasses revocation check LP: 1129713
    - [8690166] PKI tokens are broken after 24 hours LP: 1074172
    - [790c87e] PKI tokens are broken after 24 hours LP: 1074172
    - [f0b4d30] EC2 authentication does not ensure user or tenant is enabled
      LP: 1121494
    - [8a22745] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282

Date: 2013-06-13 19:10:17.653943+00:00
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
https://launchpad.net/ubuntu/quantal/+source/keystone/2012.2.4-0ubuntu3.1
-------------- next part --------------
Sorry, changesfile not available.

More information about the Quantal-changes mailing list