[Openstack-devel] Bug#700240: Vulnerability in OpenStack Keystone
Thierry Carrez
thierry at openstack.org
Thu Feb 14 16:05:33 UTC 2013
Thomas Goirand wrote:
> Hi Thierry and Dan,
>
> I got very confused about CVE-2013-0247 and CVE-2013-0270.
>
> I have already uploaded the fix for CVE-2013-0247 in Debian SID, and now
> I'm trying to understand what CVE-2013-0270 is about. My request about
> it in the Openstack development list was left without an answer, so I'm
> asking you directly, with Cc: to the already opened Debian bug.
Sorry for the delay in answering, I'm travelling right now so it's a bit
difficult to make the research. I have no idea what CVE-2013-0270 is. So
it might indeed be a duplicate of CVE-2013-0247, which is the one we
issued OSSA-2013-003 for.
> The problem is that the patches I've read for CVE-2013-0270 for Essex
> seem to do the exact same thing as the patches for CVE-2013-0247 (in a
> slightly different way), and of course, both patches are conflicting.
>
> So, could you please confirm what my guts are telling me, which is that
> this patch:
> http://anonscm.debian.org/gitweb/?p=openstack/keystone.git;a=commitdiff;h=b6fe7d8c7719996b3b5a8765dee55bb0eb2944df
>
> which fixes CVE-2013-0247 also fixes CVE-2013-0270 which must be a
> duplicate of CVE-2013-0247. If this isn't the case, please tell me
> what's going on, and what you think I should do to fix Keystone in
> Debian Wheezy. I can apply things "by hand" if needed...
I think you are right. I suspect CVE-2013-0270 was assigned after we
released our advisory which was about -0247.
Cheers,
--
Thierry Carrez (ttx)
Release Manager, OpenStack
More information about the Openstack-devel
mailing list