[Bug 1893234] Re: [SRU] queens stable releases
Launchpad Bug Tracker
1893234 at bugs.launchpad.net
Tue Sep 1 11:02:18 UTC 2020
This bug was fixed in the package keystone - 2:13.0.4-0ubuntu1
---------------
keystone (2:13.0.4-0ubuntu1) bionic-security; urgency=medium
[ Chris MacNaughton ]
* d/watch: Update to point at opendev.org.
* New stable point release for OpenStack Queens (LP: #1893234).
- d/p/0001-fixing-dn-to-id.patch: Dropped. Fixed in upstream
release.
[ Corey Bryant ]
* SECURITY UPDATE: EC2 and/or credential endpoints are not protected
from a scoped context. Keystone V3 /credentials endpoint policy
logic allows to change credentials owner or target project ID.
- debian/patches/CVE-2020-12689-CVE-2020-12691.patch: Fix security
issues with EC2 credentials, addressing several issues in the
creation and use of EC2/S3 credentials with keystone tokens.
- CVE-2020-12689, CVE-2020-12691
* SECURITY UPDATE: OAuth1 request token authorize silently ignores
roles parameter.
- debian/patches/CVE-2020-12690.patch: Ensure OAuth1 authorized
roles are respected.
- CVE-2020-12691
* SECURITY UPDATE: Keystone doesn't check signature TTL of the EC2
credential auth method.
- debian/patches/CVE-2020-12692.patch: Check timestamp of signed
EC2 token request.
- CVE-2020-12692
-- Corey Bryant <corey.bryant at canonical.com> Fri, 28 Aug 2020 09:29:34
-0400
** Changed in: keystone (Ubuntu Bionic)
Status: Triaged => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12689
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12690
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12691
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12692
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Ubuntu.
https://bugs.launchpad.net/bugs/1893234
Title:
[SRU] queens stable releases
Status in Ubuntu Cloud Archive:
Invalid
Status in Ubuntu Cloud Archive queens series:
Triaged
Status in cinder package in Ubuntu:
Invalid
Status in horizon package in Ubuntu:
Invalid
Status in keystone package in Ubuntu:
Invalid
Status in neutron package in Ubuntu:
Invalid
Status in neutron-fwaas package in Ubuntu:
Invalid
Status in nova package in Ubuntu:
Invalid
Status in cinder source package in Bionic:
Triaged
Status in horizon source package in Bionic:
Triaged
Status in keystone source package in Bionic:
Fix Released
Status in neutron source package in Bionic:
Triaged
Status in neutron-fwaas source package in Bionic:
Triaged
Status in nova source package in Bionic:
Triaged
Bug description:
[Impact]
This release sports mostly bug-fixes and we would like to make sure all of our supported customers have access to these improvements. The update contains the following package updates:
cinder 12.0.10
keystone 13.0.4
horizon 13.0.3
neutron 12.1.1
neutron-fwaas 12.0.2
nova 17.0.13
[Test Case]
The following SRU process was followed:
https://wiki.ubuntu.com/OpenStackUpdates
In order to avoid regression of existing consumers, the OpenStack team
will run their continuous integration test against the packages that
are in -proposed. A successful run of all available tests will be
required before the proposed packages can be let into -updates.
The OpenStack team will be in charge of attaching the output summary
of the executed tests. The OpenStack team members will not mark
‘verification-done’ until this has happened.
[Regression Potential]
In order to mitigate the regression potential, the results of the
aforementioned tests are attached to this bug.
[Discussion]
keystone 13.0.4 will be going through the security team as it includes security fixes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1893234/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list