[PKG-Openstack-devel] Bug#749026: Bug#749026: keystone: CVE-2014-0204: nproper role assignments to users
Salvatore Bonaccorso
carnil at debian.org
Fri May 23 07:00:42 UTC 2014
Hi Thomas,
On Fri, May 23, 2014 at 02:39:20PM +0800, Thomas Goirand wrote:
> On 05/23/2014 01:16 PM, Salvatore Bonaccorso wrote:
> > Source: keystone
> > Severity: grave
> > Tags: security upstream
> >
> > Hi Thomas,
> >
> > the following vulnerability was published for keystone.
> >
> > CVE-2014-0204[0]:
> > Keystone user and group id mismatch
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204
> > https://security-tracker.debian.org/tracker/CVE-2014-0204
> > [1] https://bugs.launchpad.net/keystone/%2Bbug/1309228
> >
> >>From advisory (code not checked) it looks wheezy version should not be
> > affected, but could you please adjust the affected versions in the BTS
> > as needed?
> >
> > Regards,
> > Salvatore
>
> Hi Salvatore,
>
> This was already uploaded in version 2014.1-3. I forgot to edit the
> debian/changelog for this (I uploaded mistakenly before I was finished
> with my work). However, there's an update for the patch which the
> package still doesn't have, so I will leave the bug open until I can
> find the time to push for an updated patch.
Indeed, thanks for correction! I have added also a note on the
security-tracker, that the patch needs a follow-up patch first (and we
can mark then as fixed with 2014.1-4 or whatever it will be).
Thanks for your work,
Regards,
Salvatore
More information about the Openstack-devel
mailing list