Re: Taking care of Keystone in Stretch and Jessie
On Fri, May 15, 2020 at 03:49:10PM +0200, Thomas Goirand wrote:
> On 5/15/20 3:12 PM, Sylvain Beucler wrote:
> > Hi Thomas,
> > On 14/05/2020 19:08, Thomas Goirand wrote:
> >> I released an update of Keystone for a quite serious problem related to
> >> ec2 credentials where a user can become admin. I was able to fix the
> >> last 4 releases of OpenStack. Though I don't have the energy to
> >> investigate these CVEs in Stretch and Jessie. Probably Keystone over
> >> there isn't even affected, I don't know.
> >> Is anyone interested to do the work? If so, best would be to look at the
> >> 4 patches I added to the security release of Keystone in Buster.
> > Thanks for the info.
> > OpenStack was recently marked EOL in Jessie, citing a 2015 message from
> > you actually:
> > https://salsa.debian.org/debian/debian-security-support/commit/486197770133ba3c2f3a827802539661a06bc592
> > https://lists.debian.org/debian-lts/2015/11/msg00024.html
> > Does that sound OK?
> Right. That feels ok to me. I don't think we'd get any help from
> upstream for things more than 2 years old, so it feels unsustainable.
Yeah, I agree. Noone uses stock versions of OpenStack that old, anything
older than two years is just updating something that won't ever get used.