[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#686321: marked as done (unblock: keystone/2012.1.1-5)

Your message dated Fri, 31 Aug 2012 08:20:26 +0100
with message-id <f12cd8a5d30217ac733583da70158647@mail.adsl.funky-badger.org>
and subject line Re: Bug#686321: unblock: keystone/2012.1.1-5
has caused the Debian Bug report #686321,
regarding unblock: keystone/2012.1.1-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
686321: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686321
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package keystone.

This fixes CVE-2012-3542 (which was embargoed until yesterday), adds
a Chinese Debconf translation, and fixes the nl one:

* CVE-2012-3542: Fixes lack of authorization for adding users to tenants (Closes: #686265)
* Added Chinese debconf translation thanks to ben <duyujie.dyj@gmail.com>.
* Really adds the nl debconf translation this time (Closes: #685671).

Diff file attached.

Please unblock keystone/2012.1.1-5.

Cheers,

Thomas Goirand (zigo)

diff --git a/debian/changelog b/debian/changelog
index 8cff360..f9d3d3a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+keystone (2012.1.1-5) unstable; urgency=low
+
+  * CVE-2012-3542: Fixes lack of authorization for adding users to tenants
+  (Closes: #686265)
+  * Added Chinese debconf translation thanks to ben <duyujie.dyj@gmail.com>.
+  * Really adds the nl debconf translation this time (Closes: #685671).
+
+ -- Thomas Goirand <zigo@debian.org>  Mon, 27 Aug 2012 11:45:44 +0000
+
 keystone (2012.1.1-4) unstable; urgency=low
 
   * Updated debian/keystone.templates, debian/control after review from
diff --git a/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch b/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
new file mode 100644
index 0000000..1634e1e
--- /dev/null
+++ b/debian/patches/CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
@@ -0,0 +1,22 @@
+Description: Lack of authorization for adding users to tenants
+ Dolph Mathews reported a vulnerability in Keystone. When attempting to
+ update a user's default tenant, Keystone will only partially deny the
+ request when a user is not authorized to complete this action. The API
+ responds with 401 Not Authorized and the user's default tenant is not
+ changed. However, the user is still granted membership to this new
+ tenant. The result is that any client that can reach the
+ administrative API (deployed on port 35357, by default) can add any
+ user to any tenant.
+Origin: https://review.openstack.org/#/c/11869/
+Bug-Debian: http://bugs.debian.org/686265
+
+--- keystone-2012.1.1.orig/keystone/identity/core.py
++++ keystone-2012.1.1/keystone/identity/core.py
+@@ -436,6 +436,7 @@ class UserController(wsgi.Application):
+ 
+     def update_user_tenant(self, context, user_id, user):
+         """Update the default tenant."""
++        self.assert_admin(context)
+         # ensure that we're a member of that tenant
+         tenant_id = user.get('tenantId')
+         self.identity_api.add_user_to_tenant(context, tenant_id, user_id)
diff --git a/debian/patches/series b/debian/patches/series
index 1e2e5fa..6fbf616 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ logging.conf.patch
 pip-require_versions
 default_catalog.patch
 sql_conn.patch
+CVE-2012-3542_Lack-of-authorization-for-adding-users-to-tenants.patch
diff --git a/debian/po/nl.po b/debian/po/nl.po
index 7a9060b..59988ec 100644
--- a/debian/po/nl.po
+++ b/debian/po/nl.po
@@ -1,14 +1,14 @@
-# Dutch translation of nova debconf templates.
+# Dutch translation of keystone debconf templates.
 # Copyright (C) 2012 THE PACKAGE'S COPYRIGHT HOLDER
 # This file is distributed under the same license as the nova package.
 # Jeroen Schot <schot@a-eskwadraat.nl>, 2012.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: nova 2012.1-6\n"
+"Project-Id-Version: keystone 2012.1.1-4\n"
 "Report-Msgid-Bugs-To: keystone@packages.debian.org\n"
 "POT-Creation-Date: 2012-08-11 08:37+0200\n"
-"PO-Revision-Date: 2012-06-13 13:30+0200\n"
+"PO-Revision-Date: 2012-08-22 12:24+0200\n"
 "Last-Translator: Jeroen Schot <schot@a-eskwadraat.nl>\n"
 "Language-Team: Debian l10n Dutch <debian-l10n-dutch@lists.debian.org>\n"
 "Language: nl\n"
@@ -67,16 +67,16 @@ msgid ""
 "keystone\"."
 msgstr ""
 "U kunt deze instelling later wijzigen door het uitvoeren van \"dpkg-"
-"reconfigure keystone\". "
+"reconfigure -plow keystone\". "
 
 #. Type: string
 #. Description
 #: ../keystone.templates:3001
 msgid "Authentication server administration token:"
-msgstr ""
+msgstr "Beheer-token van authenticatieserver:"
 
 #. Type: string
 #. Description
 #: ../keystone.templates:3001
 msgid "Please enter the token to use with the authentication server."
-msgstr ""
+msgstr "Welke token moet er met de authenticatieserver worden gebruikt?"
diff --git a/debian/po/zh_CN.po b/debian/po/zh_CN.po
new file mode 100644
index 0000000..4be1534
--- /dev/null
+++ b/debian/po/zh_CN.po
@@ -0,0 +1,55 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: keystone\n"
+"Report-Msgid-Bugs-To: keystone@packages.debian.org\n"
+"POT-Creation-Date: 2012-06-27 19:39+0200\n"
+"PO-Revision-Date: 2012-08-27 16:22+0800\n"
+"Last-Translator: ben <duyujie.dyj@gmail.com>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "Set up a database for Keystone?"
+msgstr "为Keystone设置数据库"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "No database has been set up for Keystone to use. If you want to set one up now, please make sure you have all needed information:"
+msgstr "未曾为Keystone设置数据库。如果你想现在设置,请确定你有以下信息:"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid ""
+" * the host name of the database server (which must allow TCP\n"
+"   connections from this machine);\n"
+" * a username and password to access the database;\n"
+" * the type of database management software you want to use."
+msgstr ""
+" * 数据库服务器的主机名 (需要这台主机的TCP链接);\n"
+" * 访问这个数据库的用户名及密码;\n"
+" * 你希望使用的数据库管理软件的类型。"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "If you don't choose this option, no database will be set up and Keystone will use regular SQLite support."
+msgstr "如果你没有选择该项,不会设置数据库并且Keystone将会使用SQLite。"
+
+#. Type: boolean
+#. Description
+#: ../keystone.templates:1001
+msgid "You can change this setting later on by running \"dpkg-reconfigure -plow keystone\"."
+msgstr "您可以通过运行\"dpkg-reconfigure-plow keystone\" 命令来修改配置。"
+

--- End Message ---
--- Begin Message --- 
On 31.08.2012 07:47, Thomas Goirand wrote:

Please unblock package keystone.

This fixes CVE-2012-3542 (which was embargoed until yesterday), adds
a Chinese Debconf translation, and fixes the nl one:

* CVE-2012-3542: Fixes lack of authorization for adding users to
tenants (Closes: #686265)
* Added Chinese debconf translation thanks to ben <duyujie.dyj@gmail.com>. 
* Really adds the nl debconf translation this time (Closes: #685671).


-4 hadn't migrated yet, so I've updated the existing unblock hint.

Regards,

Adam

--- End Message ---
Reply to: