UbuntuUpdates.org

Package "keystone"

Name: keystone

Description:

OpenStack identity service - Daemons

Latest version: 2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1
Release: precise (12.04)
Level: updates
Repository: main
Homepage: http://launchpad.net/keystone

Links

Save this URL for the latest version of "keystone": https://www.ubuntuupdates.org/keystone


Download "keystone"


Other versions of "keystone" in Precise

Repository Area Version
base main 2012.1-0ubuntu1
security main 2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1 2013-05-17 00:07:23 UTC

  keystone (2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: delete user token immediately upon delete when using v2
    API
    - CVE-2013-2059.patch: adjust keystone/identity/core.py to call
      token_api.delete_token() during delete. Also update test suite.
    - CVE-2013-2059
    - LP: #1166670
 -- Jamie Strandboge <email address hidden> Wed, 15 May 2013 14:41:06 -0500

Source diff to previous version
1166670 Deleted user can still create instances
CVE-2013-2059 Keystone: Deleted user can still create instances

Version: 2012.1.3+stable-20130423-f48dd0fc-0ubuntu1 2013-05-16 18:06:44 UTC

  keystone (2012.1.3+stable-20130423-f48dd0fc-0ubuntu1) precise-proposed; urgency=low

  * Resynchronize with stable/essex (LP: #1089488):
    - [7402f5e] EC2 authentication does not ensure user or tenant is enabled
      LP: 1121494
    - [8945567] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
    - [7b5b72f] Add size validations for /tokens.
    - [ef1e682] docutils 0.10 incompatible with sphinx 1.1.3 LP: 1091333
    - [8735009] Removing user from a tenant isn't invalidating user access to
      tenant (LP: #1064914)
    - [025b1d5] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [ddb4019] Open 2012.1.4 development
    - [0e1f05e] memcache driver needs protection against unicode user keys
      (LP: #1056373)
    - [176ee9b] Token invalidation in case of role grant/revoke should be
      limited to affected tenant (LP: #1050025)
    - [58ac669] Token validation includes revoked roles (CVE-2012-4413)
      (LP: #1041396)
    - [cd1e48a] Memcached Token Backend does not support list tokens
      (LP: #1046905)
    - [5438d3b] Update user's default tenant partially succeeds without authz
      (LP: #1040626)
  * Dropped patches, superseeded by new snapshot:
    - debian/patches/CVE-2013-0282.patch [7402f5e]
    - debian/patches/CVE-2013-1664+1665.patch [8945567]
    - debian/patches/keystone-CVE-2012-5571.patch [8735009]
    - debian/patches/keystone-CVE-2012-4413.patch [58ac669]
    - debian/patches/keystone-CVE-2012-3542.patch [5438d3b]
  * Refreshed patches:
    - debian/patches/CVE-2013-0247.patch
    - debian/patches/fix-ubuntu-tests.patch
 -- Yolanda <email address hidden> Tue, 23 Apr 2013 10:30:16 +0200

Source diff to previous version
1089488 Meta bug for tracking Openstack Stable Updates
1064914 Removing user from a tenant isn't invalidating user access to tenant
1056373 memcache driver needs protection against unicode user keys
1050025 Token invalidation in case of role grant/revoke should be limited to affected tenant
1041396 Token validation includes revoked roles (CVE-2012-4413)
1046905 Memcached Token Backend does not support list tokens
1040626 Update user's default tenant partially succeeds without authz
CVE-2013-1664 Denial of service via xml entity parsing
CVE-2012-4413 openstack revoking a role does not affect existing tokens
CVE-2013-0282 EC2-style authentication accepts disabled user/tenants
CVE-2012-5571 OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which al
CVE-2012-3542 OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to a
CVE-2013-0247 Keystone denial of service through invalid token requests

Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.5 2013-02-21 00:06:57 UTC

  keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2.5) precise-security; urgency=low

  * SECURITY UPDATE: fix EC2-style authentication for disabled users
    - debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
      to ensure user and tenant are enabled in EC2
    - CVE-2013-0282
    - LP: #1121494
  * SECURITY UPDATE: fix denial of service
    - debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
    - CVE-2013-1664
    - CVE-2013-1665
    - LP: #1100279
 -- Jamie Strandboge <email address hidden> Tue, 19 Feb 2013 11:57:49 -0600

Source diff to previous version
1121494 EC2 authentication does not ensure user or tenant is enabled
1100279 Local file leak through entities in XML requests (CVE-2013-1665)
CVE-2013-0282 EC2-style authentication accepts disabled user/tenants
CVE-2013-1664 Denial of service via xml entity parsing
CVE-2013-1665 Information leak via xml entity parsing

Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.4 2013-02-06 00:06:35 UTC

  keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2.4) precise-security; urgency=low

  * SECURITY UPDATE: fix token creation error handling
    - debian/patches/CVE-2013-0247.patch: validate size of user_id, username,
      password, tenant_name, tenant_id and token size to help guard against a
      denial of service via large log files filling the disk
    - CVE-2013-0247
 -- Jamie Strandboge <email address hidden> Thu, 31 Jan 2013 12:22:43 -0600

Source diff to previous version
CVE-2013-0247 Keystone denial of service through invalid token requests

Version: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.3 2012-11-28 20:06:55 UTC

  keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2.3) precise-security; urgency=low

  * SECURITY UPDATE: fix for EC2-style credentials invalidation
    - debian/patches/CVE-2012-5571.patch: adjust contrib/ec2/core.py to verify
      that the user is in at least one valid role for the tenant
    - CVE-2012-5571
    - LP: #1064914
 -- Jamie Strandboge <email address hidden> Mon, 26 Nov 2012 14:07:34 -0600

1064914 Removing user from a tenant isn't invalidating user access to tenant



About   -   Send Feedback to @ubuntu_updates