[go: up one dir, main page]

Debian Bug report logs - #728233
keystone: CVE-2013-4477: remove role assignment adds role using LDAP assignment

version graph

Package: keystone; Maintainer for keystone is Debian OpenStack <team+openstack@tracker.debian.org>; Source for keystone is src:keystone (PTS, buildd, popcon).

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 29 Oct 2013 19:57:01 UTC

Severity: grave

Tags: patch, security, upstream

Fixed in version keystone/2013.2-2

Done: Thomas Goirand <zigo@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#728233; Package keystone. (Tue, 29 Oct 2013 19:57:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>. (Tue, 29 Oct 2013 19:57:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: keystone: CVE-2013-4477: remove role assignment adds role using LDAP assignment
Date: Tue, 29 Oct 2013 20:52:34 +0100
Package: keystone
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for keystone.

CVE-2013-4477[0]:
OpenStack Keystone: Unintentional role granting with Keystone LDAP backend

Patches are available trough the bugreport at [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-4477
[1] https://bugs.launchpad.net/keystone/+bug/1242855

Please adjust the affected versions in the BTS as needed (e.g. not
checked if stable is affected).

Regards and thanks for your work!

Salvatore

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Sun, 03 Nov 2013 09:21:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 03 Nov 2013 09:21:10 GMT) (full text, mbox, link).

Message #10 received at 728233-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: 728233-close@bugs.debian.org
Subject: Bug#728233: fixed in keystone 2013.2-2
Date: Sun, 03 Nov 2013 09:18:58 +0000
Source: keystone
Source-Version: 2013.2-2

We believe that the bug you reported is fixed in the latest version of
keystone, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 728233@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated keystone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 03 Nov 2013 16:02:42 +0800
Source: keystone
Binary: python-keystone keystone keystone-doc
Architecture: source all
Version: 2013.2-2
Distribution: unstable
Urgency: low
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 keystone   - OpenStack identity service
 keystone-doc - OpenStack identity service - documentation
 python-keystone - OpenStack identity service - library
Closes: 728233
Changes: 
 keystone (2013.2-2) unstable; urgency=low
 .
   * Moved python-memcache to Depends: instead of Recommends:.
   * Added missing python-babel depends.
   * Fixes a failed install if the target computer doesn't have a default route
     (lp: #1247342).
   * CVE-2013-4477: remove role assignment adds role using LDAP assignment
     (Closes: #728233).
Checksums-Sha1: 
 3f2d6a234268b4c342f16ca22dd49e6096f90192 3087 keystone_2013.2-2.dsc
 2490d994fea77002164e0409a0f812969ae2d272 245924 keystone_2013.2-2.debian.tar.gz
 a6697e51071d40458a84b12e9bda939140fd9d89 561068 python-keystone_2013.2-2_all.deb
 02fab3886265443f7a883a0598279ab789b4bbc6 254150 keystone_2013.2-2_all.deb
 523254c78f4c9b9fdf78871604c56e72f6c1d793 414052 keystone-doc_2013.2-2_all.deb
Checksums-Sha256: 
 91ac6a3a0ae969296a134a24a0e4c90d2976b9233107bcfdce88f0994ccb6739 3087 keystone_2013.2-2.dsc
 ce913109e33bb67a95e96a141456ab997b2bbcc00d9c554d3b905d4cfcd031c6 245924 keystone_2013.2-2.debian.tar.gz
 278296befd59ae4f6ae0cb3c450b5c750bfbe1b0e4469a4661f2e2fc993f0c61 561068 python-keystone_2013.2-2_all.deb
 c608c5b04497f2e6189eeef1aa201e231067744a15560311854761bbf1e78606 254150 keystone_2013.2-2_all.deb
 c3f981a3b91d96060fbde50d9b08edff6cab17b9d5f7beee092c3e0751dc6462 414052 keystone-doc_2013.2-2_all.deb
Files: 
 2213e6c09bcdbd346014b53243d57c43 3087 net extra keystone_2013.2-2.dsc
 4c9012df783f8f0fe67d3e6efb04f454 245924 net extra keystone_2013.2-2.debian.tar.gz
 97a88646a874e7e537f0f418e8079dc9 561068 python extra python-keystone_2013.2-2_all.deb
 824feac794f9f82db2c86ae17b33151d 254150 python extra keystone_2013.2-2_all.deb
 3a1ade80e574ffb28f556a8868857093 414052 doc extra keystone-doc_2013.2-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCAAGBQJSdg6PAAoJENQWrRWsa0P+H/EP/03dXw8o5zbaEegIePSeb1UL
bHDaNw8iLkzi220WugYNPaYezf91JLU1k1l4d02zNEHOwZ0O+Ce173bdwHm8SIfx
MwtVq92EhnQJ1Xl3Amp8HQrIERdxuzLmfeJp20SPhgQ3CUhZ/bpBEcqSYc70xd/G
mL9wVGv82ZVOt/D8S2+1TBVCYM9/ihx8J02s83OiRfy8juvUvRsL0I6LgRNTtQNS
9qj/B3uZcmk7a3L7OXIZOcFk8VFUSPQTg/7/HiDmwu5TB7WHABW9Q0Jfhht2Lvnf
HJMbIDyUWYs/wp80InGLxIe2XJLtDCeT0y05TKzysvIJtWERzQD7s4PUyxyeVCo+
0R7T1YRjgfXAXjmHQliYnx1cbspwQLcUpQAqaglJ9JW3uziWaVmgss0MAvkFUzRS
cCnm4g4Thd4KpAGNdbJO+6Xdt1Uny6505YLwaqMLZmhGu1ARMn5U3UBWIjXBcolX
qb9dtYLbyJTtaZujgl+LaWBDzdZ66kzTJs3xJBgKwXf6jiUvdfT1ZvWJ7mRs/m7v
U0xtm2YBp8CRsZ7FThioSldZw5dRxXHadVrD1ZHXfjgMqmYT2+7WPw9OzIL3Uy2s
iiGfstZ9UyKfg/tjGYPNy5zwgX5+3nG/jDDXFbYQ7AjrRtnO5Tqa/u9LeZ84qR4F
Y+N/jahyUGNQV1Dln4wp
=KLnK
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Apr 2015 07:35:55 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 15 05:46:17 2025; Machine Name: berlioz

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.