[Bug 1893234] Re: [SRU] queens stable releases

Corey Bryant 1893234 at bugs.launchpad.net
Wed Oct 7 13:36:41 UTC 2020 

This bug was fixed in the package keystone - 2:13.0.4-0ubuntu1~cloud0
---------------

 keystone (2:13.0.4-0ubuntu1~cloud0) xenial-queens; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 keystone (2:13.0.4-0ubuntu1) bionic-security; urgency=medium
 .
   [ Chris MacNaughton ]
   * d/watch: Update to point at opendev.org.
   * New stable point release for OpenStack Queens (LP: #1893234).
     - d/p/0001-fixing-dn-to-id.patch: Dropped. Fixed in upstream
       release.
 .
   [ Corey Bryant ]
   * SECURITY UPDATE: EC2 and/or credential endpoints are not protected
     from a scoped context. Keystone V3 /credentials endpoint policy
     logic allows to change credentials owner or target project ID.
     - debian/patches/CVE-2020-12689-CVE-2020-12691.patch: Fix security
       issues with EC2 credentials, addressing several issues in the
       creation and use of EC2/S3 credentials with keystone tokens.
     - CVE-2020-12689, CVE-2020-12691
   * SECURITY UPDATE: OAuth1 request token authorize silently ignores
     roles parameter.
     - debian/patches/CVE-2020-12690.patch: Ensure OAuth1 authorized
       roles are respected.
     - CVE-2020-12691
   * SECURITY UPDATE: Keystone doesn't check signature TTL of the EC2
     credential auth method.
     - debian/patches/CVE-2020-12692.patch: Check timestamp of signed
       EC2 token request.
     - CVE-2020-12692

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1893234

Title:
  [SRU] queens stable releases

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive queens series:
  Fix Released
Status in cinder package in Ubuntu:
  Invalid
Status in horizon package in Ubuntu:
  Invalid
Status in keystone package in Ubuntu:
  Invalid
Status in neutron package in Ubuntu:
  Invalid
Status in neutron-fwaas package in Ubuntu:
  Invalid
Status in nova package in Ubuntu:
  Invalid
Status in cinder source package in Bionic:
  Fix Released
Status in horizon source package in Bionic:
  Fix Released
Status in keystone source package in Bionic:
  Fix Released
Status in neutron source package in Bionic:
  Fix Released
Status in neutron-fwaas source package in Bionic:
  Fix Released
Status in nova source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  This release sports mostly bug-fixes and we would like to make sure all of our supported customers have access to these improvements. The update contains the following package updates:

  cinder 12.0.10
  keystone 13.0.4
  horizon 13.0.3
  neutron 12.1.1
  neutron-fwaas 12.0.2
  nova 17.0.13

  [Test Case]
  The following SRU process was followed:
  https://wiki.ubuntu.com/OpenStackUpdates

  In order to avoid regression of existing consumers, the OpenStack team
  will run their continuous integration test against the packages that
  are in -proposed. A successful run of all available tests will be
  required before the proposed packages can be let into -updates.

  The OpenStack team will be in charge of attaching the output summary
  of the executed tests. The OpenStack team members will not mark
  ‘verification-done’ until this has happened.

  [Regression Potential]
  In order to mitigate the regression potential, the results of the
  aforementioned tests are attached to this bug.

  [Discussion]
  keystone 13.0.4 will be going through the security team as it includes security fixes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1893234/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list