Bug#686321: unblock: keystone/2012.1.1-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package keystone.
This fixes CVE-2012-3542 (which was embargoed until yesterday), adds
a Chinese Debconf translation, and fixes the nl one:
* CVE-2012-3542: Fixes lack of authorization for adding users to tenants (Closes: #686265)
* Added Chinese debconf translation thanks to ben <duyujie.dyj@gmail.com>.
* Really adds the nl debconf translation this time (Closes: #685671).
Diff file attached.
Please unblock keystone/2012.1.1-5.
Cheers,
Thomas Goirand (zigo)
diff --git a/debian/changelog b/debian/changelog
index 8cff360..f9d3d3a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+keystone (2012.1.1-5) unstable; urgency=low
+
+ * CVE-2012-3542: Fixes lack of authorization for adding users to tenants
+ (Closes: #686265)
+ * Added Chinese debconf translation thanks to ben <duyujie.dyj@gmail.com>.
+ * Really adds the nl debconf translation this time (Closes: #685671).
+
+ -- Thomas Goirand <zigo@debian.org> Mon, 27 Aug 2012 11:45:44 +0000
+
keystone (2012.1.1-4) unstable; urgency=low
* Updated debian/keystone.templates, debian/control after review from
diff --git a/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch b/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
new file mode 100644
index 0000000..1634e1e
--- /dev/null
+++ b/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
@@ -0,0 +1,22 @@
+Description: Lack of authorization for adding users to tenants
+ Dolph Mathews reported a vulnerability in Keystone. When attempting to
+ update a user's default tenant, Keystone will only partially deny the
+ request when a user is not authorized to complete this action. The API
+ responds with 401 Not Authorized and the user's default tenant is not
+ changed. However, the user is still granted membership to this new
+ tenant. The result is that any client that can reach the
+ administrative API (deployed on port 35357, by default) can add any
+ user to any tenant.
+Origin: https://review.openstack.org/#/c/11869/
+Bug-Debian: http://bugs.debian.org/686265
+
+--- keystone-2012.1.1.orig/keystone/identity/core.py
++++ keystone-2012.1.1/keystone/identity/core.py
+@@ -436,6 +436,7 @@ class UserController(wsgi.Application):
+
+ def update_user_tenant(self, context, user_id, user):
+ """Update the default tenant."""
++ self.assert_admin(context)
+ # ensure that we're a member of that tenant
+ tenant_id = user.get('tenantId')
+ self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
diff --git a/debian/patches/series b/debian/patches/series
index 1e2e5fa..6fbf616 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ logging.conf.patch
pip-require_versions
default_catalog.patch
sql_conn.patch
+CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
diff --git a/debian/po/nl.po b/debian/po/nl.po
index 7a9060b..59988ec 100644
--- a/debian/po/nl.po
+++ b/debian/po/nl.po
@@ -1,14 +1,14 @@
-# Dutch translation of nova debconf templates.
+# Dutch translation of keystone debconf templates.
# Copyright (C) 2012 THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the nova package.
# Jeroen Schot <schot@a-eskwadraat.nl>, 2012.
#
msgid ""
msgstr ""
-"Project-Id-Version: nova 2012.1-6\n"
+"Project-Id-Version: keystone 2012.1.1-4\n"
"Report-Msgid-Bugs-To: keystone@packages.debian.org\n"
"POT-Creation-Date: 2012-08-11 08:37+0200\n"
-"PO-Revision-Date: 2012-06-13 13:30+0200\n"
+"PO-Revision-Date: 2012-08-22 12:24+0200\n"
"Last-Translator: Jeroen Schot <schot@a-eskwadraat.nl>\n"
"Language-Team: Debian l10n Dutch <debian-l10n-dutch@lists.debian.org>\n"
"Language: nl\n"
@@ -67,16 +67,16 @@ msgid ""
"keystone\"."
msgstr ""
"U kunt deze instelling later wijzigen door het uitvoeren van \"dpkg-"
-"reconfigure keystone\". "
+"reconfigure -plow keystone\". "
#. Type: string
#. Description
#: ../keystone.templates:3001
msgid "Authentication server administration token:"
-msgstr ""
+msgstr "Beheer-token van authenticatieserver:"
#. Type: string
#. Description
#: ../keystone.templates:3001
msgid "Please enter the token to use with the authentication server."
-msgstr ""
+msgstr "Welke token moet er met de authenticatieserver worden gebruikt?"
diff --git a/debian/po/zh_CN.po b/debian/po/zh_CN.po
new file mode 100644
index 0000000..4be1534
--- /dev/null
+++ b/debian/po/zh_CN.po
@@ -0,0 +1,55 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: keystone\n"
+"Report-Msgid-Bugs-To: keystone@packages.debian.org\n"
+"POT-Creation-Date: 2012-06-27 19:39+0200\n"
+"PO-Revision-Date: 2012-08-27 16:22+0800\n"
+"Last-Translator: ben <duyujie.dyj@gmail.com>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "Set up a database for Keystone?"
+msgstr "为Keystone设置数据库"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "No database has been set up for Keystone to use. If you want to set one up now, please make sure you have all needed information:"
+msgstr "未曾为Keystone设置数据库。如果你想现在设置,请确定你有以下信息:"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid ""
+" * the host name of the database server (which must allow TCP\n"
+" connections from this machine);\n"
+" * a username and password to access the database;\n"
+" * the type of database management software you want to use."
+msgstr ""
+" * 数据库服务器的主机名 (需要这台主机的TCP链接);\n"
+" * 访问这个数据库的用户名及密码;\n"
+" * 你希望使用的数据库管理软件的类型。"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "If you don't choose this option, no database will be set up and Keystone will use regular SQLite support."
+msgstr "如果你没有选择该项,不会设置数据库并且Keystone将会使用SQLite。"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "You can change this setting later on by running \"dpkg-reconfigure -plow keystone\"."
+msgstr "您可以通过运行\"dpkg-reconfigure-plow keystone\" 命令来修改配置。"
+
Reply to: