Package "keystone"
Name: |
keystone
|
Description: |
OpenStack identity service - Daemons
|
Latest version: |
2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1 |
Release: |
precise (12.04) |
Level: |
updates |
Repository: |
main |
Homepage: |
http://launchpad.net/keystone |
Links
Download "keystone"
Other versions of "keystone" in Precise
Packages in group
Deleted packages are displayed in grey.
Changelog
keystone (2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1) precise-security; urgency=low
* SECURITY UPDATE: delete user token immediately upon delete when using v2
API
- CVE-2013-2059.patch: adjust keystone/identity/core.py to call
token_api.delete_token() during delete. Also update test suite.
- CVE-2013-2059
- LP: #1166670
-- Jamie Strandboge <email address hidden> Wed, 15 May 2013 14:41:06 -0500
|
Source diff to previous version |
1166670 |
Deleted user can still create instances |
CVE-2013-2059 |
Keystone: Deleted user can still create instances |
|
keystone (2012.1.3+stable-20130423-f48dd0fc-0ubuntu1) precise-proposed; urgency=low
* Resynchronize with stable/essex (LP: #1089488):
- [7402f5e] EC2 authentication does not ensure user or tenant is enabled
LP: 1121494
- [8945567] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
- [7b5b72f] Add size validations for /tokens.
- [ef1e682] docutils 0.10 incompatible with sphinx 1.1.3 LP: 1091333
- [8735009] Removing user from a tenant isn't invalidating user access to
tenant (LP: #1064914)
- [025b1d5] Jenkins jobs fail because of incompatibility between sqlalchemy-
migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
- [ddb4019] Open 2012.1.4 development
- [0e1f05e] memcache driver needs protection against unicode user keys
(LP: #1056373)
- [176ee9b] Token invalidation in case of role grant/revoke should be
limited to affected tenant (LP: #1050025)
- [58ac669] Token validation includes revoked roles (CVE-2012-4413)
(LP: #1041396)
- [cd1e48a] Memcached Token Backend does not support list tokens
(LP: #1046905)
- [5438d3b] Update user's default tenant partially succeeds without authz
(LP: #1040626)
* Dropped patches, superseeded by new snapshot:
- debian/patches/CVE-2013-0282.patch [7402f5e]
- debian/patches/CVE-2013-1664+1665.patch [8945567]
- debian/patches/keystone-CVE-2012-5571.patch [8735009]
- debian/patches/keystone-CVE-2012-4413.patch [58ac669]
- debian/patches/keystone-CVE-2012-3542.patch [5438d3b]
* Refreshed patches:
- debian/patches/CVE-2013-0247.patch
- debian/patches/fix-ubuntu-tests.patch
-- Yolanda <email address hidden> Tue, 23 Apr 2013 10:30:16 +0200
|
Source diff to previous version |
1089488 |
Meta bug for tracking Openstack Stable Updates |
1064914 |
Removing user from a tenant isn't invalidating user access to tenant |
1056373 |
memcache driver needs protection against unicode user keys |
1050025 |
Token invalidation in case of role grant/revoke should be limited to affected tenant |
1041396 |
Token validation includes revoked roles (CVE-2012-4413) |
1046905 |
Memcached Token Backend does not support list tokens |
1040626 |
Update user's default tenant partially succeeds without authz |
CVE-2013-1664 |
Denial of service via xml entity parsing |
CVE-2012-4413 |
openstack revoking a role does not affect existing tokens |
CVE-2013-0282 |
EC2-style authentication accepts disabled user/tenants |
CVE-2012-5571 |
OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which al |
CVE-2012-3542 |
OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to a |
CVE-2013-0247 |
Keystone denial of service through invalid token requests |
|
keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2.5) precise-security; urgency=low
* SECURITY UPDATE: fix EC2-style authentication for disabled users
- debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
to ensure user and tenant are enabled in EC2
- CVE-2013-0282
- LP: #1121494
* SECURITY UPDATE: fix denial of service
- debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
- CVE-2013-1664
- CVE-2013-1665
- LP: #1100279
-- Jamie Strandboge <email address hidden> Tue, 19 Feb 2013 11:57:49 -0600
|
Source diff to previous version |
1121494 |
EC2 authentication does not ensure user or tenant is enabled |
1100279 |
Local file leak through entities in XML requests (CVE-2013-1665) |
CVE-2013-0282 |
EC2-style authentication accepts disabled user/tenants |
CVE-2013-1664 |
Denial of service via xml entity parsing |
CVE-2013-1665 |
Information leak via xml entity parsing |
|
keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2.4) precise-security; urgency=low
* SECURITY UPDATE: fix token creation error handling
- debian/patches/CVE-2013-0247.patch: validate size of user_id, username,
password, tenant_name, tenant_id and token size to help guard against a
denial of service via large log files filling the disk
- CVE-2013-0247
-- Jamie Strandboge <email address hidden> Thu, 31 Jan 2013 12:22:43 -0600
|
Source diff to previous version |
CVE-2013-0247 |
Keystone denial of service through invalid token requests |
|
keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2.3) precise-security; urgency=low
* SECURITY UPDATE: fix for EC2-style credentials invalidation
- debian/patches/CVE-2012-5571.patch: adjust contrib/ec2/core.py to verify
that the user is in at least one valid role for the tenant
- CVE-2012-5571
- LP: #1064914
-- Jamie Strandboge <email address hidden> Mon, 26 Nov 2012 14:07:34 -0600
|
1064914 |
Removing user from a tenant isn't invalidating user access to tenant |
|
About
-
Send Feedback to @ubuntu_updates