UbuntuUpdates.org

Package "python-keystone"

Name: python-keystone

Description:

OpenStack identity service - Python library
Latest version: 2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1
Release: precise (12.04)
Level: security
Repository: main
Head package: keystone
Homepage: http://launchpad.net/keystone

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python-keystone"

All arch deb package
APT INSTALL

Other versions of "python-keystone" in Precise

Repository Area Version
base main 2012.1-0ubuntu1
updates main 2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1

Changelog

Version: 2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1 2013-05-17 00:07:19 UTC

  keystone (2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: delete user token immediately upon delete when using v2
    API
    - CVE-2013-2059.patch: adjust keystone/identity/core.py to call
      token_api.delete_token() during delete. Also update test suite.
    - CVE-2013-2059
    - LP: #1166670
 -- Jamie Strandboge <email address hidden> Wed, 15 May 2013 14:41:06 -0500
Source diff to previous version
1166670 Deleted user can still create instances
CVE-2013-2059 Keystone: Deleted user can still create instances

Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.5 2013-02-20 23:06:58 UTC

  keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2.5) precise-security; urgency=low

  * SECURITY UPDATE: fix EC2-style authentication for disabled users
    - debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
      to ensure user and tenant are enabled in EC2
    - CVE-2013-0282
    - LP: #1121494
  * SECURITY UPDATE: fix denial of service
    - debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
    - CVE-2013-1664
    - CVE-2013-1665
    - LP: #1100279
 -- Jamie Strandboge <email address hidden> Tue, 19 Feb 2013 11:57:49 -0600
Source diff to previous version
1121494 EC2 authentication does not ensure user or tenant is enabled
1100279 Local file leak through entities in XML requests (CVE-2013-1665)
CVE-2013-0282 EC2-style authentication accepts disabled user/tenants
CVE-2013-1664 Denial of service via xml entity parsing
CVE-2013-1665 Information leak via xml entity parsing

Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.4 2013-02-05 23:06:37 UTC

  keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2.4) precise-security; urgency=low

  * SECURITY UPDATE: fix token creation error handling
    - debian/patches/CVE-2013-0247.patch: validate size of user_id, username,
      password, tenant_name, tenant_id and token size to help guard against a
      denial of service via large log files filling the disk
    - CVE-2013-0247
 -- Jamie Strandboge <email address hidden> Thu, 31 Jan 2013 12:22:43 -0600
Source diff to previous version
CVE-2013-0247 Keystone denial of service through invalid token requests

Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.3 2012-11-28 20:06:57 UTC

  keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2.3) precise-security; urgency=low

  * SECURITY UPDATE: fix for EC2-style credentials invalidation
    - debian/patches/CVE-2012-5571.patch: adjust contrib/ec2/core.py to verify
      that the user is in at least one valid role for the tenant
    - CVE-2012-5571
    - LP: #1064914
 -- Jamie Strandboge <email address hidden> Mon, 26 Nov 2012 14:07:34 -0600
Source diff to previous version
1064914 Removing user from a tenant isn't invalidating user access to tenant

Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.2 2012-09-13 00:06:48 UTC

  keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2.2) precise-security; urgency=low

  * SECURITY UPDATE: Pre-existing tokens continue to be valid after
    granting or revoking a user's access (LP: #1041396)
    - debian/patches/keystone-CVE-2012-4413.patch: invalidate all user
      tokens upon role grant/revoke
    - CVE-2012-4413
 -- Steve Beattie <email address hidden> Wed, 12 Sep 2012 09:47:55 -0700
1041396 Token validation includes revoked roles (CVE-2012-4413)
CVE-2012-4413 openstack revoking a role does not affect existing tokens


About   -   Send Feedback to @ubuntu_updates