[PKG-Openstack-devel] Bug#762749: Bug#762749: [CVE-2014-7144] TLS cert verification option not honored in paste configs
Salvatore Bonaccorso
carnil at debian.org
Thu Sep 25 09:05:12 UTC 2014
Hi Thomas,
(only replying for the version information, haven't looked at the actual issues):
On Thu, Sep 25, 2014 at 03:28:41PM +0800, Thomas Goirand wrote:
> On 09/25/2014 05:34 AM, Luciano Bello wrote:
> > Package: python-keystoneclient
> > Severity: important
> > Tags: security upstream patch fixed-upstream
> >
> > Hi there,
> > the following vulnerabilities were published for python-keystoneclient:
> >
> > CVE-2014-7144: TLS cert verification option not honored in paste configs
> >
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> > http://seclists.org/oss-sec/2014/q3/620
> > https://review.openstack.org/#/c/113191/
> >
> > Please adjust the affected versions in the BTS as needed. Can you please confirm
> > to the security-team if the stable version is affected?
> >
> > Regards, luciano
>
> Hi Luciano,
>
> You've send twice the same bug report, using the same CVE, but for both
> keystonemiddleware and keystoneclient. Is this intentional?
>
> CVE-2014-7144 is about keystonemiddleware. Stable isn't affected (it
> doesn't contain keystonemiddleware). Though if there's another CVE which
> I'm not (yet) aware of on keystoneclient, then this would have to be
> checked.
This is accordign to the upstream advisory at
http://www.openwall.com/lists/oss-security/2014/09/17/3
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1
(python-keystoneclient)
Does this holds also for python-keystoneclient in Debian?
Regards,
Salvatore
More information about the Openstack-devel
mailing list