[PKG-Openstack-devel] Bug#749026: Bug#749026: Bug#749026: keystone: CVE-2014-0204: nproper role assignments to users
Thomas Goirand
zigo at debian.org
Fri May 23 07:50:47 UTC 2014
On 05/23/2014 03:00 PM, Salvatore Bonaccorso wrote:
> Hi Thomas,
>
> On Fri, May 23, 2014 at 02:39:20PM +0800, Thomas Goirand wrote:
>> On 05/23/2014 01:16 PM, Salvatore Bonaccorso wrote:
>>> Source: keystone
>>> Severity: grave
>>> Tags: security upstream
>>>
>>> Hi Thomas,
>>>
>>> the following vulnerability was published for keystone.
>>>
>>> CVE-2014-0204[0]:
>>> Keystone user and group id mismatch
>>>
>>> If you fix the vulnerability please also make sure to include the
>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>>
>>> For further information see:
>>>
>>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204
>>> https://security-tracker.debian.org/tracker/CVE-2014-0204
>>> [1] https://bugs.launchpad.net/keystone/%2Bbug/1309228
>>>
>>> >From advisory (code not checked) it looks wheezy version should not be
>>> affected, but could you please adjust the affected versions in the BTS
>>> as needed?
>>>
>>> Regards,
>>> Salvatore
>>
>> Hi Salvatore,
>>
>> This was already uploaded in version 2014.1-3. I forgot to edit the
>> debian/changelog for this (I uploaded mistakenly before I was finished
>> with my work). However, there's an update for the patch which the
>> package still doesn't have, so I will leave the bug open until I can
>> find the time to push for an updated patch.
>
> Indeed, thanks for correction! I have added also a note on the
> security-tracker, that the patch needs a follow-up patch first (and we
> can mark then as fixed with 2014.1-4 or whatever it will be).
>
> Thanks for your work,
>
> Regards,
> Salvatore
Thanks.
FYI, Essex (eg: what's in Wheezy) isn't affected. Also, the current
backport to Icehouse (eg: 2014.1) is still under review:
https://review.openstack.org/#/c/94397/
I prefer to wait until the review process is finished. As I understand,
the regression is: a userid containing a ',' can't log in.
Do you think, like I do, that I should lower the severity of this bug
and let 2014.1-3 migrate to testing?
Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list