Your message dated Sat, 18 Dec 2021 11:36:17 +0000
with message-id
<f35b13da0620aab462a587a3d6f06f29a527c6c9.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for changes included in 11.2
has caused the Debian Bug report #992331,
regarding bullseye-pu: package keystone/18.0.0-3+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
992331: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992331
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
[ Reason ]
This update addresses CVE-2021-38155 adding upstream patch,
and also tweaks keystone-uwsgi.ini for performances.
[ Impact ]
Anyone having the lockout_failure_attempts feature enabled
can be attacked to discover project IDs.
[ Tests ]
Upstream has a functional test suite, and unit testing.
The package runs unit tests at build time. The unit tests
include testing of the modified feature (ie: it tests
now that Keystone replies with "unauthorized" instead of
"locked").
[ Risks ]
This is a minor change in the way Keystone replies to
unauthorized requests. There's no other change involved.
I believe that's very safe.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
On top of the patch, the changes include a tweak in
the uwsgi configuration file. It really makes a huge
difference in performances, and IMO, that's very important
especially for Keystone which is usually a very busy
componant of any OpenStack deployment, so I very much
would like this to be accepted too.
Please allow me to upload keystone/18.0.0-3+deb11u1.
Cheers,
Thomas Goirand (zigo)
diff -Nru keystone-18.0.0/debian/changelog keystone-18.0.0/debian/changelog
--- keystone-18.0.0/debian/changelog 2020-11-21 23:09:55.000000000 +0100
+++ keystone-18.0.0/debian/changelog 2021-03-17 12:06:20.000000000 +0100
@@ -1,3 +1,12 @@
+keystone (2:18.0.0-3+deb11u1) bullseye; urgency=medium
+
+ * Tune keystone-uwsgi.ini for performance.
+ * CVE-2021-38155 / OSSA-2021-003: Account name and UUID oracles in account
+ locking. Applied upstream patch: Hide AccountLocked exception from end
+ users (Closes: #992070).
+
+ -- Thomas Goirand <[email protected]> Wed, 17 Mar 2021 12:06:20 +0100
+
keystone (2:18.0.0-3) unstable; urgency=medium
* Removed python3-crypto from (build-)depends (Closes: #971310).
diff -Nru keystone-18.0.0/debian/keystone-uwsgi.ini
keystone-18.0.0/debian/keystone-uwsgi.ini
--- keystone-18.0.0/debian/keystone-uwsgi.ini 2020-11-21 23:09:55.000000000
+0100
+++ keystone-18.0.0/debian/keystone-uwsgi.ini 2021-03-17 12:06:20.000000000
+0100
@@ -12,16 +12,14 @@
# This is running standalone
master = true
-# Threads and processes
-enable-threads = true
-
-processes = 4
-
# uwsgi recommends this to prevent thundering herd on accept.
thunder-lock = true
+# Default plugins to load
plugins = python3,apparmor
+# We do have a keystone apparmor profile in this package,
+# so let's use it.
apparmor-profile = keystone
# This ensures that file descriptors aren't shared between the WSGI
application processes.
@@ -36,10 +34,26 @@
# exit instead of brutal reload on SIGTERM
die-on-term = true
+##########################
+### Performance tuning ###
+##########################
+# Threads and processes
+enable-threads = true
+
+# For max perf, set this to number of core*2
+processes = 8
+
+# This was benchmarked as a good value
+threads = 32
+
+# This is the number of sockets in the queue.
+# It improves a lot performances. This is comparable
+# to the Apache ServerLimit/MaxClients option.
+listen = 100
+
##################################
### OpenStack service specific ###
##################################
-
# This is the standard port for the WSGI application, listening on all
available IPs
logto = /var/log/keystone/keystone.log
name = keystone-api
diff -Nru
keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch
keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch
---
keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch
1970-01-01 01:00:00.000000000 +0100
+++
keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch
2021-03-17 12:06:20.000000000 +0100
@@ -0,0 +1,106 @@
+Description:: CVE-2021-38155 Hide AccountLocked exception from end users
+ This change hides the AccountLocked exception from being returned
+ to the end user to hide sensitive information that a potential
+ malicious person could gain insight from.
+ .
+ The notification handler catches the AccountLocked exception as
+ before, but after sending the audit notification, it instead
+ bubbles up Unauthorized rather than AccountLocked.
+Author: Gage Hugo <[email protected]>
+Date: Tue, 27 Oct 2020 15:22:04 -0500
+Co-Authored-By: Samuel de Medeiros Queiroz <[email protected]>
+Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873
+Bug-Ubuntu: https://bugs.launchpad.net/keystone/+bug/1688137
+Bug-Debian: https://bugs.debian.org/992070
+Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/790442/
+Last-Update: 2021-08-14
+
+diff --git a/keystone/notifications.py b/keystone/notifications.py
+index e536ebd..a59b1d0 100644
+--- a/keystone/notifications.py
++++ b/keystone/notifications.py
+@@ -580,6 +580,8 @@
+ taxonomy.OUTCOME_FAILURE,
+ target, self.event_type,
+ reason=audit_reason)
++ if isinstance(ex, exception.AccountLocked):
++ raise exception.Unauthorized
+ raise
+ except Exception:
+ # For authentication failure send a CADF event as well
+diff --git a/keystone/tests/unit/common/test_notifications.py
b/keystone/tests/unit/common/test_notifications.py
+index b0fb720..308cc01 100644
+--- a/keystone/tests/unit/common/test_notifications.py
++++ b/keystone/tests/unit/common/test_notifications.py
+@@ -802,7 +802,7 @@
+ password = uuid.uuid4().hex
+ new_password = uuid.uuid4().hex
+ expected_responses = [AssertionError, AssertionError, AssertionError,
+- exception.AccountLocked]
++ exception.Unauthorized]
+ user_ref = unit.new_user_ref(domain_id=self.domain_id,
+ password=password)
+ user_ref = PROVIDERS.identity_api.create_user(user_ref)
+diff --git a/keystone/tests/unit/identity/test_backend_sql.py
b/keystone/tests/unit/identity/test_backend_sql.py
+index 8c7fb31..0a99002 100644
+--- a/keystone/tests/unit/identity/test_backend_sql.py
++++ b/keystone/tests/unit/identity/test_backend_sql.py
+@@ -613,7 +613,7 @@
+ )
+ # test locking out user after max failed attempts
+ self._fail_auth_repeatedly(self.user['id'])
+- self.assertRaises(exception.AccountLocked,
++ self.assertRaises(exception.Unauthorized,
+ PROVIDERS.identity_api.authenticate,
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+@@ -642,7 +642,7 @@
+ with self.make_request():
+ # lockout user
+ self._fail_auth_repeatedly(self.user['id'])
+- self.assertRaises(exception.AccountLocked,
++ self.assertRaises(exception.Unauthorized,
+ PROVIDERS.identity_api.authenticate,
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+@@ -661,7 +661,7 @@
+ with self.make_request():
+ # lockout user
+ self._fail_auth_repeatedly(self.user['id'])
+- self.assertRaises(exception.AccountLocked,
++ self.assertRaises(exception.Unauthorized,
+ PROVIDERS.identity_api.authenticate,
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+@@ -687,7 +687,7 @@
+ with self.make_request():
+ # lockout user
+ self._fail_auth_repeatedly(self.user['id'])
+- self.assertRaises(exception.AccountLocked,
++ self.assertRaises(exception.Unauthorized,
+ PROVIDERS.identity_api.authenticate,
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+@@ -697,7 +697,7 @@
+ # repeat failed auth the max times
+ self._fail_auth_repeatedly(self.user['id'])
+ # test user account is locked
+- self.assertRaises(exception.AccountLocked,
++ self.assertRaises(exception.Unauthorized,
+ PROVIDERS.identity_api.authenticate,
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
+new file mode 100644
+index 0000000..bd7a060
+--- /dev/null
++++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
+@@ -0,0 +1,8 @@
++---
++fixes:
++ - |
++ [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
++ Fixed the AccountLocked exception being shown to the end user since
++ it provides some information that could be exploited by a
++ malicious user. The end user will now see Unauthorized instead of
++ AccountLocked, preventing user info oracle exploitation.
diff -Nru keystone-18.0.0/debian/patches/series
keystone-18.0.0/debian/patches/series
--- keystone-18.0.0/debian/patches/series 2020-11-21 23:09:55.000000000
+0100
+++ keystone-18.0.0/debian/patches/series 2021-03-17 12:06:20.000000000
+0100
@@ -1,3 +1,4 @@
fixes-keystone-default-catalog.patch
#fixes-default-connection.patch
install-missing-files.patch
+CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.2
Hi,
All of the updates referred to by these bugs were included in this
morning's bullseye point release.
Regards,
Adam
--- End Message ---
