[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#785780: jessie-pu: package python-keystonemiddleware 1.0.0-3 -> 1.0.0-3+deb8u1 and python-keystoneclient 0.10.1-2 -> 0.10.1-2+deb8u1 (CVE-2015-1852)

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

After a discussion with the security team, we agreed that this update
should be done through p-u.

The bug is that in keystoneclient & keystonemiddleware, the option by
default is:


If you uncomment it, and set it to either true or false, it will always
be interpreted as true (even if it is set to false). This is due to the
code missing options to convert the string into it's boolean value.

The patch is trivial, and can be stripped down to:

-        insecure = conf.get('insecure', False)
+        insecure = strutils.bool_from_string(conf.get('insecure', False))

for both python-keystonemiddleware and python-keystoneclient. The
rest of the debdiff is unecessary noise (like a new unit test to avoid
regressions, adding python-oslo.utils as new (build-)dependency, which
contains the function strutils.bool_from_string() and things of this
kind) that isn't helpful to study the patch, so I am not sending the
debdiff as attachement. If you want the full debdiff, it's available
next to the packages I wish to upload.

Both packages (and their corresponding debdiffs) are available at:

Please allow me to upload both to jessie-proposed-updates.


Thomas Goirand (zigo)

P.S: Am I right with the version numbers? I'm not sure here...

Reply to: