Hello community, here is the log from the commit of package openstack-keystone for openSUSE:Factory checked in at 2013-02-22 16:55:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openstack-keystone (Old) and /work/SRC/openSUSE:Factory/.openstack-keystone.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openstack-keystone", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/openstack-keystone/openstack-keystone.changes 2013-02-08 07:13:00.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openstack-keystone.new/openstack-keystone.changes 2013-02-22 16:55:56.000000000 +0100 @@ -1,0 +2,7 @@ +Fri Feb 22 10:11:13 UTC 2013 - [email protected] + +- Update to version 2012.2.4+git.1361527873.37b3532: + + Disable XML entity parsing (CVE-2013-1664, CVE-2013-1665) + + Ensure user and tenant enabled in EC2 (CVE-2013-0282) + +-------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openstack-keystone-doc.spec ++++++ --- /var/tmp/diff_new_pack.O6QhFl/_old 2013-02-22 16:55:58.000000000 +0100 +++ /var/tmp/diff_new_pack.O6QhFl/_new 2013-02-22 16:55:58.000000000 +0100 @@ -19,7 +19,7 @@ %define component keystone Name: openstack-%{component}-doc -Version: 2012.2.4+git.1360133921.82c87e5 +Version: 2012.2.4+git.1361527873.37b3532 Release: 0 License: Apache-2.0 Summary: OpenStack Identity Service (Keystone) - Documentation ++++++ openstack-keystone.spec ++++++ --- /var/tmp/diff_new_pack.O6QhFl/_old 2013-02-22 16:55:58.000000000 +0100 +++ /var/tmp/diff_new_pack.O6QhFl/_new 2013-02-22 16:55:58.000000000 +0100 @@ -23,7 +23,7 @@ %define hybrid keystone-hybrid-backend-folsom Name: openstack-%{component} -Version: 2012.2.4+git.1360133921.82c87e5 +Version: 2012.2.4+git.1361527873.37b3532 Release: 0 License: Apache-2.0 Summary: OpenStack Identity Service (Keystone) ++++++ keystone-hybrid-backend-folsom.tar.gz ++++++ ++++++ keystone-stable-folsom.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keystone-2012.2.4/AUTHORS new/keystone-2012.2.4/AUTHORS --- old/keystone-2012.2.4/AUTHORS 2013-02-05 17:24:46.000000000 +0100 +++ new/keystone-2012.2.4/AUTHORS 2013-02-20 02:12:23.000000000 +0100 @@ -84,6 +84,7 @@ Mohammed Naser <[email protected]> monsterxx03 <[email protected]> Monty Taylor <[email protected]> +Nathanael Burton <[email protected]> Pádraig Brady <[email protected]> Pádraig Brady <[email protected]> Paul McMillan <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keystone-2012.2.4/ChangeLog new/keystone-2012.2.4/ChangeLog --- old/keystone-2012.2.4/ChangeLog 2013-02-05 17:24:46.000000000 +0100 +++ new/keystone-2012.2.4/ChangeLog 2013-02-20 02:12:22.000000000 +0100 @@ -1,3 +1,36 @@ +commit 37b3532884f30fc979f633abe9be2b694d16887a +Merge: 8a22745 f0b4d30 +Author: Jenkins <[email protected]> +Date: Wed Feb 20 00:49:06 2013 +0000 + + Merge "Ensure user and tenant enabled in EC2" into stable/folsom + +commit f0b4d300db5cc61d4f079f8bce9da8e8bea1081a +Author: Nathanael Burton <[email protected]> +Date: Tue Feb 19 09:27:04 2013 -0600 + + Ensure user and tenant enabled in EC2 + + Fixes bug 1121494. + + Change-Id: Icc90d581691b5aa63754e076ce983dfa2885a1dc + + keystone/contrib/ec2/core.py | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +commit 8a2274595ac628b2373eab0cb14690f866b7a024 +Author: Dolph Mathews <[email protected]> +Date: Tue Feb 19 09:04:11 2013 -0600 + + Disable XML entity parsing + + Fixes bug 1100282 and bug 1100279. + + Change-Id: Ibf2d73bca17b689cfa2dfd29eb15ea6e7458a123 + + keystone/common/serializer.py | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + commit 82c87e5638ebaf9f166a9b07a0155291276d6fdc Merge: b3bd5fd bb2226f Author: Jenkins <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keystone-2012.2.4/keystone/common/serializer.py new/keystone-2012.2.4/keystone/common/serializer.py --- old/keystone-2012.2.4/keystone/common/serializer.py 2013-02-05 17:22:07.000000000 +0100 +++ new/keystone-2012.2.4/keystone/common/serializer.py 2013-02-20 02:08:12.000000000 +0100 @@ -29,6 +29,16 @@ DOCTYPE = '<?xml version="1.0" encoding="UTF-8"?>' XMLNS = 'http://docs.openstack.org/identity/api/v2.0' +PARSER = etree.XMLParser( + resolve_entities=False, + remove_comments=True, + remove_pis=True) + +# NOTE(dolph): lxml.etree.Entity() is just a callable that currently returns an +# lxml.etree._Entity instance, which doesn't appear to be part of the +# public API, so we discover the type dynamically to be safe +ENTITY_TYPE = type(etree.Entity('x')) + def from_xml(xml): """Deserialize XML to a dictionary.""" @@ -51,7 +61,7 @@ class XmlDeserializer(object): def __call__(self, xml_str): """Returns a dictionary populated by decoding the given xml string.""" - dom = etree.fromstring(xml_str.strip()) + dom = etree.fromstring(xml_str.strip(), PARSER) return self.walk_element(dom) @staticmethod @@ -87,7 +97,8 @@ # current spec does not have attributes on an element with text values = values or text or {} - for child in [self.walk_element(x) for x in element]: + for child in [self.walk_element(x) for x in element + if not isinstance(x, ENTITY_TYPE)]: values = dict(values.items() + child.items()) return {XmlDeserializer._tag_name(element.tag): values} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/keystone-2012.2.4/keystone/contrib/ec2/core.py new/keystone-2012.2.4/keystone/contrib/ec2/core.py --- old/keystone-2012.2.4/keystone/contrib/ec2/core.py 2013-02-05 17:22:07.000000000 +0100 +++ new/keystone-2012.2.4/keystone/contrib/ec2/core.py 2013-02-20 02:08:12.000000000 +0100 @@ -37,6 +37,7 @@ import uuid from keystone import catalog +from keystone.common import logging from keystone.common import manager from keystone.common import utils from keystone.common import wsgi @@ -49,6 +50,7 @@ CONF = config.CONF +LOG = logging.getLogger(__name__) class Manager(manager.Manager): @@ -117,9 +119,9 @@ credentials['host'] = hostname signature = signer.generate(credentials) if not utils.auth_str_equal(credentials.signature, signature): - raise exception.Unauthorized(message='Invalid EC2 signature.') + raise exception.Unauthorized() else: - raise exception.Unauthorized(message='EC2 signature not supplied.') + raise exception.Unauthorized() def authenticate(self, context, credentials=None, ec2Credentials=None): """Validate a signed EC2 request and provide a token. @@ -149,7 +151,7 @@ credentials = ec2Credentials if not 'access' in credentials: - raise exception.Unauthorized(message='EC2 signature not supplied.') + raise exception.Unauthorized() creds_ref = self._get_credentials(context, credentials['access']) @@ -161,9 +163,19 @@ tenant_ref = self.identity_api.get_tenant( context=context, tenant_id=creds_ref['tenant_id']) + # If the tenant is disabled don't allow them to authenticate + if tenant_ref and not tenant_ref.get('enabled', True): + msg = 'Tenant %s is disabled' % tenant_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized() user_ref = self.identity_api.get_user( context=context, user_id=creds_ref['user_id']) + # If the user is disabled don't allow them to authenticate + if not user_ref.get('enabled', True): + msg = 'User %s is disabled' % user_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized() metadata_ref = self.identity_api.get_metadata( context=context, user_id=user_ref['id'], @@ -174,7 +186,7 @@ # fill out the roles in the metadata roles = metadata_ref.get('roles', []) if not roles: - raise exception.Unauthorized(message='User not valid for tenant.') + raise exception.Unauthorized() roles_ref = [self.identity_api.get_role(context, role_id) for role_id in roles] @@ -279,7 +291,7 @@ creds = self.ec2_api.get_credential(context, credential_id) if not creds: - raise exception.Unauthorized(message='EC2 access key not found.') + raise exception.Unauthorized() return creds def _assert_identity(self, context, user_id): -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
