[PKG-Openstack-devel] Bug#762749: Bug#762749: Bug#762749: [CVE-2014-7144] TLS cert verification option not honored in paste configs
Thomas Goirand
zigo at debian.org
Thu Sep 25 12:42:03 UTC 2014
On 09/25/2014 05:05 PM, Salvatore Bonaccorso wrote:
> Hi Thomas,
>
> (only replying for the version information, haven't looked at the actual issues):
>
> On Thu, Sep 25, 2014 at 03:28:41PM +0800, Thomas Goirand wrote:
>> On 09/25/2014 05:34 AM, Luciano Bello wrote:
>>> Package: python-keystoneclient
>>> Severity: important
>>> Tags: security upstream patch fixed-upstream
>>>
>>> Hi there,
>>> the following vulnerabilities were published for python-keystoneclient:
>>>
>>> CVE-2014-7144: TLS cert verification option not honored in paste configs
>>>
>>> If you fix the vulnerabilities please also make sure to include the
>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>>
>>> For further information see:
>>> http://seclists.org/oss-sec/2014/q3/620
>>> https://review.openstack.org/#/c/113191/
>>>
>>> Please adjust the affected versions in the BTS as needed. Can you please confirm
>>> to the security-team if the stable version is affected?
>>>
>>> Regards, luciano
>>
>> Hi Luciano,
>>
>> You've send twice the same bug report, using the same CVE, but for both
>> keystonemiddleware and keystoneclient. Is this intentional?
>>
>> CVE-2014-7144 is about keystonemiddleware. Stable isn't affected (it
>> doesn't contain keystonemiddleware). Though if there's another CVE which
>> I'm not (yet) aware of on keystoneclient, then this would have to be
>> checked.
>
> This is accordign to the upstream advisory at
> http://www.openwall.com/lists/oss-security/2014/09/17/3
>
> Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1
> (python-keystoneclient)
>
> Does this holds also for python-keystoneclient in Debian?
Yes, it seems the version currently in Sid/Jessie and Experimental are
affected. I think I'm going to upload version 0.10.1 into Sid, since
there's no dependency problem (and python-*client packages are always
backward compatible with older API). Then I'll upgrade to a newer
version in Experimental (which may be better for the latest release of
OpenStack Juno anyway).
As for what's in Wheezy, I just had a look. It doesn't seem like it
would be affected, because the code is very different, and there's not
even a middleware folder there.
Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list