[PKG-Openstack-devel] Bug#751454: Bug#751454: keystone: CVE-2014-3476: privilege escalation through trust chained delegation
Salvatore Bonaccorso
carnil at debian.org
Fri Jun 13 11:08:52 UTC 2014
Hi Thomas,
On Fri, Jun 13, 2014 at 06:51:27PM +0800, Thomas Goirand wrote:
> On 06/13/2014 12:44 PM, Salvatore Bonaccorso wrote:
> > Source: keystone
> > Severity: grave
> > Tags: security upstream patch
> > Justification: user security hole
> >
> > Hi Thomas,
> >
> > As you might know, the following vulnerability was published for
> > keystone.
> >
> > CVE-2014-3476[0]:
> > privilege escalation through trust chained delegation
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2014-3476
> > [1 ]http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html
> >
> > Please adjust the affected versions in the BTS as needed. From the
> > advisory at least all version up to 2013.2.3, and 2014.1 to 2014.1.1
> > are affected.
> >
> > Regards and thanks for your work,
> > Salvatore
>
> Hi Salvatore,
>
> Thanks for the update. I received the pre-OSSA, but didn't find the time
> to address it before now.
>
> I just uploaded the fix for Sid with urgency=high.
Thanks!
>
> As much as I can tell, the Wheezy version isn't affected. None of the
> source code patched is present in the Essex version of Keystone. This is
> also what the OSSA tells.
>
> I have updated the BTS, I believe I don't have the credentials for the
> security-tracker. Please mark Wheezy as unaffected, and sid as fixed in
> version 2014.1.1-2.
Ok, thanks for checking here. I just have marked wheezy as not
affected in the tracker.
Regards,
Salvatore
More information about the Openstack-devel
mailing list