Bug#785780: Debdiff attached
Control: tags -1 - moreinfo
Debdiff attached for both python-keystoneclient and
python-keystonemiddleware.
Cheers,
Thomas Goirand (zigo)
diff -Nru python-keystoneclient-0.10.1/debian/changelog python-keystoneclient-0.10.1/debian/changelog
--- python-keystoneclient-0.10.1/debian/changelog 2014-09-25 14:46:13.000000000 +0000
+++ python-keystoneclient-0.10.1/debian/changelog 2015-05-19 18:46:39.000000000 +0000
@@ -1,3 +1,12 @@
+python-keystoneclient (1:0.10.1-2+deb8u1) jessie-proposed-updates; urgency=high
+
+ * CVE-2015-1852: S3token incorrect condition expression for ssl_insecure.
+ Applied upstream patch: Fix s3_token middleware parsing insecure option.
+ (Closes: #783164)
+ * Added python-oslo.utils (build-)depends introduce by this patch.
+
+ -- Thomas Goirand <zigo@debian.org> Thu, 23 Apr 2015 10:18:50 +0200
+
python-keystoneclient (1:0.10.1-2) unstable; urgency=high
* Uploading to unstable.
diff -Nru python-keystoneclient-0.10.1/debian/control python-keystoneclient-0.10.1/debian/control
--- python-keystoneclient-0.10.1/debian/control 2014-09-25 14:46:13.000000000 +0000
+++ python-keystoneclient-0.10.1/debian/control 2015-05-19 18:46:39.000000000 +0000
@@ -26,6 +26,7 @@
python-netaddr,
python-oauthlib (>= 0.6),
python-oslo.config (>= 1:1.2.1),
+ python-oslo.utils,
python-prettytable (>= 0.7),
python-requests (>= 1.1),
python-pysaml2,
@@ -52,6 +53,7 @@
python-lxml,
python-netaddr,
python-oslo.config (>= 1:1.2.1),
+ python-oslo.utils,
python-pbr (>= 0.8),
python-pkg-resources,
python-prettytable (>= 0.7),
diff -Nru python-keystoneclient-0.10.1/debian/patches/CVE-2015-1852_Fix-s3_token-middleware-parsing-insecure-option.patch python-keystoneclient-0.10.1/debian/patches/CVE-2015-1852_Fix-s3_token-middleware-parsing-insecure-option.patch
--- python-keystoneclient-0.10.1/debian/patches/CVE-2015-1852_Fix-s3_token-middleware-parsing-insecure-option.patch 1970-01-01 00:00:00.000000000 +0000
+++ python-keystoneclient-0.10.1/debian/patches/CVE-2015-1852_Fix-s3_token-middleware-parsing-insecure-option.patch 2015-05-19 18:46:39.000000000 +0000
@@ -0,0 +1,71 @@
+Author: Brant Knudson <bknudson@us.ibm.com>
+ The "insecure" option was being treated as a bool when it was actually
+ provided as a string. The fix is to parse the string to a bool.
+Date: Tue, 7 Apr 2015 19:38:29 +0000 (+0000)
+Subject: Fix s3_token middleware parsing insecure option
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fpython-keystoneclient.git;a=commitdiff_plain;h=0e3a23d28438f3a298a384b1e1f1390cfa92b151
+Bug-Ubuntu: https://bugs.launchpad.net/keystonemiddleware/+bug/1411063
+Bug-Debian: https://bugs.debian.org/783164
+Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
+Origin: upstream, https://review.openstack.org/#/c/173378/
+Last-Update: 2015-04-23
+
+--- python-keystoneclient-0.10.1.orig/keystoneclient/middleware/s3_token.py
++++ python-keystoneclient-0.10.1/keystoneclient/middleware/s3_token.py
+@@ -33,6 +33,7 @@ This WSGI component:
+
+ import logging
+
++from oslo.utils import strutils
+ import requests
+ import six
+ from six.moves import urllib
+@@ -113,7 +114,7 @@ class S3Token(object):
+ self.request_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port)
+
+ # SSL
+- insecure = conf.get('insecure', False)
++ insecure = strutils.bool_from_string(conf.get('insecure', False))
+ cert_file = conf.get('certfile')
+ key_file = conf.get('keyfile')
+
+--- python-keystoneclient-0.10.1.orig/keystoneclient/tests/test_s3_token_middleware.py
++++ python-keystoneclient-0.10.1/keystoneclient/tests/test_s3_token_middleware.py
+@@ -123,7 +123,7 @@ class S3TokenMiddlewareTestGood(S3TokenM
+ @mock.patch.object(requests, 'post')
+ def test_insecure(self, MOCK_REQUEST):
+ self.middleware = (
+- s3_token.filter_factory({'insecure': True})(FakeApp()))
++ s3_token.filter_factory({'insecure': 'True'})(FakeApp()))
+
+ text_return_value = jsonutils.dumps(GOOD_RESPONSE)
+ if six.PY3:
+@@ -141,6 +141,28 @@ class S3TokenMiddlewareTestGood(S3TokenM
+ mock_args, mock_kwargs = MOCK_REQUEST.call_args
+ self.assertIs(mock_kwargs['verify'], False)
+
++ def test_insecure_option(self):
++ # insecure is passed as a string.
++
++ # Some non-secure values.
++ true_values = ['true', 'True', '1', 'yes']
++ for val in true_values:
++ config = {'insecure': val, 'certfile': 'false_ind'}
++ middleware = s3_token.filter_factory(config)(FakeApp())
++ self.assertIs(False, middleware.verify)
++
++ # Some "secure" values, including unexpected value.
++ false_values = ['false', 'False', '0', 'no', 'someweirdvalue']
++ for val in false_values:
++ config = {'insecure': val, 'certfile': 'false_ind'}
++ middleware = s3_token.filter_factory(config)(FakeApp())
++ self.assertEqual('false_ind', middleware.verify)
++
++ # Default is secure.
++ config = {'certfile': 'false_ind'}
++ middleware = s3_token.filter_factory(config)(FakeApp())
++ self.assertIs('false_ind', middleware.verify)
++
+
+ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
+ def setUp(self):
diff -Nru python-keystoneclient-0.10.1/debian/patches/series python-keystoneclient-0.10.1/debian/patches/series
--- python-keystoneclient-0.10.1/debian/patches/series 2014-09-25 14:46:13.000000000 +0000
+++ python-keystoneclient-0.10.1/debian/patches/series 2015-05-19 18:46:39.000000000 +0000
@@ -1,3 +1,4 @@
no-intersphinx.patch
do-not-call-TestCase.setUp-twice.patch
CVE-2014-7144_Fix_the_condition_expression_for_ssl_insecure.patch
+CVE-2015-1852_Fix-s3_token-middleware-parsing-insecure-option.patch
diff -Nru python-keystonemiddleware-1.0.0/debian/changelog python-keystonemiddleware-1.0.0/debian/changelog
--- python-keystonemiddleware-1.0.0/debian/changelog 2014-09-25 07:17:55.000000000 +0000
+++ python-keystonemiddleware-1.0.0/debian/changelog 2015-05-20 05:53:59.000000000 +0000
@@ -1,3 +1,12 @@
+python-keystonemiddleware (1.0.0-3+deb8u1) jessie-proposed-updates; urgency=medium
+
+ * Refreshed patches.
+ * cve-2015-1852: S3Token TLS cert verification option not honored. Applied
+ upstream patch.
+ * Added python-oslo.utils new (build-)depends introduced by this patch.
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 20 May 2015 02:08:33 +0200
+
python-keystonemiddleware (1.0.0-3) unstable; urgency=medium
* Added CVE-2014-7144_convert_the_conf_value_into_correct_type.patch. Thanks
diff -Nru python-keystonemiddleware-1.0.0/debian/control python-keystonemiddleware-1.0.0/debian/control
--- python-keystonemiddleware-1.0.0/debian/control 2014-09-25 07:17:55.000000000 +0000
+++ python-keystonemiddleware-1.0.0/debian/control 2015-05-20 05:53:59.000000000 +0000
@@ -26,6 +26,7 @@
python-keystoneclient (>= 0.9.0),
python-netaddr (>= 0.7.6),
python-oslo.config (>= 1.2.1),
+ python-oslo.utils,
python-prettytable (>=0.7),
python-requests (>= 1.1),
python-six (>= 1.7.0),
@@ -48,6 +49,7 @@
python-keystoneclient (>= 0.9.0),
python-netaddr (>= 0.7.6),
python-oslo.config (>= 1.2.1),
+ python-oslo.utils,
python-pbr (>= 0.6),
python-prettytable (>=0.7),
python-requests (>= 1.1),
diff -Nru python-keystonemiddleware-1.0.0/debian/patches/CVE-2014-7144_convert_the_conf_value_into_correct_type.patch python-keystonemiddleware-1.0.0/debian/patches/CVE-2014-7144_convert_the_conf_value_into_correct_type.patch
--- python-keystonemiddleware-1.0.0/debian/patches/CVE-2014-7144_convert_the_conf_value_into_correct_type.patch 2014-09-25 07:17:55.000000000 +0000
+++ python-keystonemiddleware-1.0.0/debian/patches/CVE-2014-7144_convert_the_conf_value_into_correct_type.patch 2015-05-20 05:53:59.000000000 +0000
@@ -10,11 +10,11 @@
Bug-Debian: https://bugs.debian.org/762748
Last-Update: 2014-09-25
-diff --git a/keystonemiddleware/auth_token.py b/keystonemiddleware/auth_token.py
-index ce60402..f06a7c4 100644
---- a/keystonemiddleware/auth_token.py
-+++ b/keystonemiddleware/auth_token.py
-@@ -424,6 +424,27 @@ def _safe_quote(s):
+Index: python-keystonemiddleware/keystonemiddleware/auth_token.py
+===================================================================
+--- python-keystonemiddleware.orig/keystonemiddleware/auth_token.py
++++ python-keystonemiddleware/keystonemiddleware/auth_token.py
+@@ -422,6 +422,27 @@ def _safe_quote(s):
return urllib.parse.quote(s) if s == urllib.parse.unquote(s) else s
@@ -42,7 +42,7 @@
class InvalidUserToken(Exception):
pass
-@@ -459,7 +480,10 @@ class AuthProtocol(object):
+@@ -457,7 +478,10 @@ class AuthProtocol(object):
def __init__(self, app, conf):
self._LOG = logging.getLogger(conf.get('log_name', __name__))
self._LOG.info('Starting keystone auth_token middleware')
@@ -54,11 +54,11 @@
self._app = app
# delay_auth_decision means we still allow unauthenticated requests
-diff --git a/keystonemiddleware/tests/test_auth_token_middleware.py b/keystonemiddleware/tests/test_auth_token_middleware.py
-index e2dff21..bb1c0a5 100644
---- a/keystonemiddleware/tests/test_auth_token_middleware.py
-+++ b/keystonemiddleware/tests/test_auth_token_middleware.py
-@@ -531,6 +531,29 @@ class GeneralAuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest,
+Index: python-keystonemiddleware/keystonemiddleware/tests/test_auth_token_middleware.py
+===================================================================
+--- python-keystonemiddleware.orig/keystonemiddleware/tests/test_auth_token_middleware.py
++++ python-keystonemiddleware/keystonemiddleware/tests/test_auth_token_middleware.py
+@@ -560,6 +560,29 @@ class GeneralAuthTokenMiddlewareTest(Bas
self.assertEqual(middleware._token_revocation_list_cache_timeout,
datetime.timedelta(seconds=24))
diff -Nru python-keystonemiddleware-1.0.0/debian/patches/cve-2015-1852_Fix_s3_token_middleware_parsing_insecure_option.patch python-keystonemiddleware-1.0.0/debian/patches/cve-2015-1852_Fix_s3_token_middleware_parsing_insecure_option.patch
--- python-keystonemiddleware-1.0.0/debian/patches/cve-2015-1852_Fix_s3_token_middleware_parsing_insecure_option.patch 1970-01-01 00:00:00.000000000 +0000
+++ python-keystonemiddleware-1.0.0/debian/patches/cve-2015-1852_Fix_s3_token_middleware_parsing_insecure_option.patch 2015-05-20 05:53:59.000000000 +0000
@@ -0,0 +1,67 @@
+Description: Fix s3_token middleware parsing insecure option
+ The "insecure" option was being treated as a bool when it was actually
+ provided as a string. The fix is to parse the string to a bool.
+Author: Brant Knudson <bknudson@us.ibm.com>
+Date: Mon, 23 Mar 2015 18:19:18 -0500
+Bug-Ubuntu: 1411063
+Change-Id: I508dae8d7bedfc903e476cdefac43d05cbd7fbe1
+
+--- python-keystonemiddleware-1.0.0.orig/keystonemiddleware/s3_token.py
++++ python-keystonemiddleware-1.0.0/keystonemiddleware/s3_token.py
+@@ -34,6 +34,7 @@ This WSGI component:
+ import logging
+ import webob
+
++from oslo.utils import strutils
+ import requests
+ import six
+ from six.moves import urllib
+@@ -114,7 +115,7 @@ class S3Token(object):
+ auth_port)
+
+ # SSL
+- insecure = conf.get('insecure', False)
++ insecure = strutils.bool_from_string(conf.get('insecure', False))
+ cert_file = conf.get('certfile')
+ key_file = conf.get('keyfile')
+
+--- python-keystonemiddleware-1.0.0.orig/keystonemiddleware/tests/test_s3_token_middleware.py
++++ python-keystonemiddleware-1.0.0/keystonemiddleware/tests/test_s3_token_middleware.py
+@@ -123,7 +123,7 @@ class S3TokenMiddlewareTestGood(S3TokenM
+ @mock.patch.object(requests, 'post')
+ def test_insecure(self, MOCK_REQUEST):
+ self.middleware = (
+- s3_token.filter_factory({'insecure': True})(FakeApp()))
++ s3_token.filter_factory({'insecure': 'True'})(FakeApp()))
+
+ text_return_value = jsonutils.dumps(GOOD_RESPONSE)
+ if six.PY3:
+@@ -141,6 +141,28 @@ class S3TokenMiddlewareTestGood(S3TokenM
+ mock_args, mock_kwargs = MOCK_REQUEST.call_args
+ self.assertIs(mock_kwargs['verify'], False)
+
++ def test_insecure_option(self):
++ # insecure is passed as a string.
++
++ # Some non-secure values.
++ true_values = ['true', 'True', '1', 'yes']
++ for val in true_values:
++ config = {'insecure': val, 'certfile': 'false_ind'}
++ middleware = s3_token.filter_factory(config)(FakeApp())
++ self.assertIs(False, middleware._verify)
++
++ # Some "secure" values, including unexpected value.
++ false_values = ['false', 'False', '0', 'no', 'someweirdvalue']
++ for val in false_values:
++ config = {'insecure': val, 'certfile': 'false_ind'}
++ middleware = s3_token.filter_factory(config)(FakeApp())
++ self.assertEqual('false_ind', middleware._verify)
++
++ # Default is secure.
++ config = {'certfile': 'false_ind'}
++ middleware = s3_token.filter_factory(config)(FakeApp())
++ self.assertIs('false_ind', middleware._verify)
++
+
+ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
+ def setUp(self):
diff -Nru python-keystonemiddleware-1.0.0/debian/patches/series python-keystonemiddleware-1.0.0/debian/patches/series
--- python-keystonemiddleware-1.0.0/debian/patches/series 2014-09-25 07:17:55.000000000 +0000
+++ python-keystonemiddleware-1.0.0/debian/patches/series 2015-05-20 05:53:59.000000000 +0000
@@ -1,3 +1,4 @@
removes-discover-from-test-requirements.txt
no-intersphinx.patch
CVE-2014-7144_convert_the_conf_value_into_correct_type.patch
+cve-2015-1852_Fix_s3_token_middleware_parsing_insecure_option.patch
Reply to: