Bug#686321: unblock: keystone/2012.1.1-5

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#686321: unblock: keystone/2012.1.1-5
From: Thomas Goirand <zigo@debian.org>
Date: Fri, 31 Aug 2012 14:47:04 +0800
Message-id: <[🔎] 20120831064704.23789.98059.reportbug@buzig.gplhost.com>
Reply-to: Thomas Goirand <zigo@debian.org>, 686321@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package keystone.

This fixes CVE-2012-3542 (which was embargoed until yesterday), adds
a Chinese Debconf translation, and fixes the nl one:

* CVE-2012-3542: Fixes lack of authorization for adding users to tenants (Closes: #686265)
* Added Chinese debconf translation thanks to ben <duyujie.dyj@gmail.com>.
* Really adds the nl debconf translation this time (Closes: #685671).

Diff file attached.

Please unblock keystone/2012.1.1-5.

Cheers,

Thomas Goirand (zigo)

diff --git a/debian/changelog b/debian/changelog
index 8cff360..f9d3d3a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+keystone (2012.1.1-5) unstable; urgency=low
+
+  * CVE-2012-3542: Fixes lack of authorization for adding users to tenants
+  (Closes: #686265)
+  * Added Chinese debconf translation thanks to ben <duyujie.dyj@gmail.com>.
+  * Really adds the nl debconf translation this time (Closes: #685671).
+
+ -- Thomas Goirand <zigo@debian.org>  Mon, 27 Aug 2012 11:45:44 +0000
+
 keystone (2012.1.1-4) unstable; urgency=low
 
   * Updated debian/keystone.templates, debian/control after review from
diff --git a/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch b/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
new file mode 100644
index 0000000..1634e1e
--- /dev/null
+++ b/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
@@ -0,0 +1,22 @@
+Description: Lack of authorization for adding users to tenants
+ Dolph Mathews reported a vulnerability in Keystone. When attempting to
+ update a user's default tenant, Keystone will only partially deny the
+ request when a user is not authorized to complete this action. The API
+ responds with 401 Not Authorized and the user's default tenant is not
+ changed. However, the user is still granted membership to this new
+ tenant. The result is that any client that can reach the
+ administrative API (deployed on port 35357, by default) can add any
+ user to any tenant.
+Origin: https://review.openstack.org/#/c/11869/
+Bug-Debian: http://bugs.debian.org/686265
+
+--- keystone-2012.1.1.orig/keystone/identity/core.py
++++ keystone-2012.1.1/keystone/identity/core.py
+@@ -436,6 +436,7 @@ class UserController(wsgi.Application):
+ 
+     def update_user_tenant(self, context, user_id, user):
+         """Update the default tenant."""
++        self.assert_admin(context)
+         # ensure that we're a member of that tenant
+         tenant_id = user.get('tenantId')
+         self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
diff --git a/debian/patches/series b/debian/patches/series
index 1e2e5fa..6fbf616 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ logging.conf.patch
 pip-require_versions
 default_catalog.patch
 sql_conn.patch
+CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
diff --git a/debian/po/nl.po b/debian/po/nl.po
index 7a9060b..59988ec 100644
--- a/debian/po/nl.po
+++ b/debian/po/nl.po
@@ -1,14 +1,14 @@
-# Dutch translation of nova debconf templates.
+# Dutch translation of keystone debconf templates.
 # Copyright (C) 2012 THE PACKAGE'S COPYRIGHT HOLDER
 # This file is distributed under the same license as the nova package.
 # Jeroen Schot <schot@a-eskwadraat.nl>, 2012.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: nova 2012.1-6\n"
+"Project-Id-Version: keystone 2012.1.1-4\n"
 "Report-Msgid-Bugs-To: keystone@packages.debian.org\n"
 "POT-Creation-Date: 2012-08-11 08:37+0200\n"
-"PO-Revision-Date: 2012-06-13 13:30+0200\n"
+"PO-Revision-Date: 2012-08-22 12:24+0200\n"
 "Last-Translator: Jeroen Schot <schot@a-eskwadraat.nl>\n"
 "Language-Team: Debian l10n Dutch <debian-l10n-dutch@lists.debian.org>\n"
 "Language: nl\n"
@@ -67,16 +67,16 @@ msgid ""
 "keystone\"."
 msgstr ""
 "U kunt deze instelling later wijzigen door het uitvoeren van \"dpkg-"
-"reconfigure keystone\". "
+"reconfigure -plow keystone\". "
 
 #. Type: string
 #. Description
 #: ../keystone.templates:3001
 msgid "Authentication server administration token:"
-msgstr ""
+msgstr "Beheer-token van authenticatieserver:"
 
 #. Type: string
 #. Description
 #: ../keystone.templates:3001
 msgid "Please enter the token to use with the authentication server."
-msgstr ""
+msgstr "Welke token moet er met de authenticatieserver worden gebruikt?"
diff --git a/debian/po/zh_CN.po b/debian/po/zh_CN.po
new file mode 100644
index 0000000..4be1534
--- /dev/null
+++ b/debian/po/zh_CN.po
@@ -0,0 +1,55 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: keystone\n"
+"Report-Msgid-Bugs-To: keystone@packages.debian.org\n"
+"POT-Creation-Date: 2012-06-27 19:39+0200\n"
+"PO-Revision-Date: 2012-08-27 16:22+0800\n"
+"Last-Translator: ben <duyujie.dyj@gmail.com>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "Set up a database for Keystone?"
+msgstr "为Keystone设置数据库"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "No database has been set up for Keystone to use. If you want to set one up now, please make sure you have all needed information:"
+msgstr "未曾为Keystone设置数据库。如果你想现在设置，请确定你有以下信息："
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid ""
+" * the host name of the database server (which must allow TCP\n"
+"   connections from this machine);\n"
+" * a username and password to access the database;\n"
+" * the type of database management software you want to use."
+msgstr ""
+" * 数据库服务器的主机名 （需要这台主机的TCP链接）；\n"
+" * 访问这个数据库的用户名及密码；\n"
+" * 你希望使用的数据库管理软件的类型。"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "If you don't choose this option, no database will be set up and Keystone will use regular SQLite support."
+msgstr "如果你没有选择该项，不会设置数据库并且Keystone将会使用SQLite。"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "You can change this setting later on by running \"dpkg-reconfigure -plow keystone\"."
+msgstr "您可以通过运行\"dpkg-reconfigure-plow keystone\" 命令来修改配置。"
+

Reply to:

Follow-Ups:
- Bug#686321: marked as done (unblock: keystone/2012.1.1-5)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#686320: unblock: melange/1:2012.1-3
Next by Date: Bug#686323: unblock: horizon/2012.1.1-4
Previous by thread: Bug#686320: marked as done (unblock: melange/1:2012.1-3)
Next by thread: Bug#686321: marked as done (unblock: keystone/2012.1.1-5)
Index(es):
- Date
- Thread