On Thu, Sep 13, 2012 at 12:59:59AM +0800, Thomas Goirand wrote: > On 09/13/2012 12:44 AM, Henri Salo wrote: > >Package: keystone > >Version: 2012.1.1-5 > >Severity: important > >Tags: security > > > >>From http://www.openwall.com/lists/oss-security/2012/09/12/7 > > > >Description: > >Dolph Mathews reported a vulnerability in Keystone. Granting and > >revoking roles from a user is not reflected upon token validation for > >pre-existing tokens. Pre-existing tokens continue to be valid for the > >original set of roles for the remainder of the token's lifespan, or > >until explicitly invalidated. This fix invalidates all tokens held by > >a user upon role grant/revoke to circumvent the issue. > > > >Folsom fix: > >http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2 > > > >Essex fix: > >http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e > > > >References: > >https://bugs.launchpad.net/keystone/+bug/1041396 > >http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413 > > > >Notes: > >This fix will be included in the future Keystone 2012.1.3 stable > >update and the upcoming Folsom-RC1 development milestone. > > Hi, > > Thanks, but I am receiving the embargoed security fixes, and this is > now a duplicate of 687428. The fixed package has just been uploaded > to SID, and an unblock request has been sent too. Please do not > submit such report in the future, we are aware of this kind of > problems. > > I'm therefor closing this bug. > > Cheers, > > Thomas Goirand (zigo)
I didn't know that and it is impossible to tell when not to report security vulnerabilities of packages in cases like this. Sometimes maintainer is following security advisories and sometimes not. - Henri -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

