Bug#749026: [PKG-Openstack-devel] Bug#749026: keystone: CVE-2014-0204: nproper role assignments to users
On 05/23/2014 01:16 PM, Salvatore Bonaccorso wrote: Source: keystone Severity: grave Tags: security upstream Hi Thomas, the following vulnerability was published for keystone. CVE-2014-0204[0]: Keystone user and group id mismatch If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204 https://security-tracker.debian.org/tracker/CVE-2014-0204 [1] https://bugs.launchpad.net/keystone/%2Bbug/1309228 From advisory (code not checked) it looks wheezy version should not be affected, but could you please adjust the affected versions in the BTS as needed? Regards, Salvatore Hi Salvatore, This was already uploaded in version 2014.1-3. I forgot to edit the debian/changelog for this (I uploaded mistakenly before I was finished with my work). However, there's an update for the patch which the package still doesn't have, so I will leave the bug open until I can find the time to push for an updated patch. Thanks for your care, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#749026: [PKG-Openstack-devel] Bug#749026: keystone: CVE-2014-0204: nproper role assignments to users
Hi Thomas, On Fri, May 23, 2014 at 02:39:20PM +0800, Thomas Goirand wrote: On 05/23/2014 01:16 PM, Salvatore Bonaccorso wrote: Source: keystone Severity: grave Tags: security upstream Hi Thomas, the following vulnerability was published for keystone. CVE-2014-0204[0]: Keystone user and group id mismatch If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204 https://security-tracker.debian.org/tracker/CVE-2014-0204 [1] https://bugs.launchpad.net/keystone/%2Bbug/1309228 From advisory (code not checked) it looks wheezy version should not be affected, but could you please adjust the affected versions in the BTS as needed? Regards, Salvatore Hi Salvatore, This was already uploaded in version 2014.1-3. I forgot to edit the debian/changelog for this (I uploaded mistakenly before I was finished with my work). However, there's an update for the patch which the package still doesn't have, so I will leave the bug open until I can find the time to push for an updated patch. Indeed, thanks for correction! I have added also a note on the security-tracker, that the patch needs a follow-up patch first (and we can mark then as fixed with 2014.1-4 or whatever it will be). Thanks for your work, Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#749026: [PKG-Openstack-devel] Bug#749026: Bug#749026: keystone: CVE-2014-0204: nproper role assignments to users
On 05/23/2014 03:00 PM, Salvatore Bonaccorso wrote: Hi Thomas, On Fri, May 23, 2014 at 02:39:20PM +0800, Thomas Goirand wrote: On 05/23/2014 01:16 PM, Salvatore Bonaccorso wrote: Source: keystone Severity: grave Tags: security upstream Hi Thomas, the following vulnerability was published for keystone. CVE-2014-0204[0]: Keystone user and group id mismatch If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204 https://security-tracker.debian.org/tracker/CVE-2014-0204 [1] https://bugs.launchpad.net/keystone/%2Bbug/1309228 From advisory (code not checked) it looks wheezy version should not be affected, but could you please adjust the affected versions in the BTS as needed? Regards, Salvatore Hi Salvatore, This was already uploaded in version 2014.1-3. I forgot to edit the debian/changelog for this (I uploaded mistakenly before I was finished with my work). However, there's an update for the patch which the package still doesn't have, so I will leave the bug open until I can find the time to push for an updated patch. Indeed, thanks for correction! I have added also a note on the security-tracker, that the patch needs a follow-up patch first (and we can mark then as fixed with 2014.1-4 or whatever it will be). Thanks for your work, Regards, Salvatore Thanks. FYI, Essex (eg: what's in Wheezy) isn't affected. Also, the current backport to Icehouse (eg: 2014.1) is still under review: https://review.openstack.org/#/c/94397/ I prefer to wait until the review process is finished. As I understand, the regression is: a userid containing a ',' can't log in. Do you think, like I do, that I should lower the severity of this bug and let 2014.1-3 migrate to testing? Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#749026: [PKG-Openstack-devel] Bug#749026: Bug#749026: keystone: CVE-2014-0204: nproper role assignments to users
Hi Thomas, On Fri, May 23, 2014 at 03:50:47PM +0800, Thomas Goirand wrote: [...] FYI, Essex (eg: what's in Wheezy) isn't affected. Also, the current backport to Icehouse (eg: 2014.1) is still under review: https://review.openstack.org/#/c/94397/ I prefer to wait until the review process is finished. As I understand, the regression is: a userid containing a ',' can't log in. Do you think, like I do, that I should lower the severity of this bug and let 2014.1-3 migrate to testing? Yes, I think it is fine to lower the severity of this bug to important. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#749026: keystone: CVE-2014-0204: nproper role assignments to users
Source: keystone Severity: grave Tags: security upstream Hi Thomas, the following vulnerability was published for keystone. CVE-2014-0204[0]: Keystone user and group id mismatch If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204 https://security-tracker.debian.org/tracker/CVE-2014-0204 [1] https://bugs.launchpad.net/keystone/%2Bbug/1309228 From advisory (code not checked) it looks wheezy version should not be affected, but could you please adjust the affected versions in the BTS as needed? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org