[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Taking care of Keystone in Stretch and Jessie

On 5/15/20 3:12 PM, Sylvain Beucler wrote:
> Hi Thomas,
> 
> On 14/05/2020 19:08, Thomas Goirand wrote:
>> I released an update of Keystone for a quite serious problem related to
>> ec2 credentials where a user can become admin. I was able to fix the
>> last 4 releases of OpenStack. Though I don't have the energy to
>> investigate these CVEs in Stretch and Jessie. Probably Keystone over
>> there isn't even affected, I don't know.
>>
>> Is anyone interested to do the work? If so, best would be to look at the
>> 4 patches I added to the security release of Keystone in Buster.
> 
> Thanks for the info.
> 
> OpenStack was recently marked EOL in Jessie, citing a 2015 message from
> you actually:
> https://salsa.debian.org/debian/debian-security-support/commit/486197770133ba3c2f3a827802539661a06bc592
> https://lists.debian.org/debian-lts/2015/11/msg00024.html
> Does that sound OK?

Right. That feels ok to me. I don't think we'd get any help from
upstream for things more than 2 years old, so it feels unsustainable.

> Stretch is still maintained by Debian Security team (though LTS will
> take over within a couple months), adding them in Cc: to discuss what to
> do in Stretch.

Thanks. If anyone from the LTS team feel like working on Keystone, I can
grand write access on the Git on Salsa. We have the full history of all
OpenStack releases in Git since more far than I can even remember
(probably since 8 years ago). IMO, the first thing that should be done
is investigate if these CVEs are relevant to Stretch. Probably they
aren't because I don't think Keystone 10.x.x has support for scopes (and
this is what the CVEs were about).

Cheers,

Thomas Goirand (zigo)
Reply to: