[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#785780: marked as done (jessie-pu: package python-keystonemiddleware 1.0.0-3 -> 1.0.0-3+deb8u1 and python-keystoneclient 0.10.1-2 -> 0.10.1-2+deb8u1 (CVE-2015-1852))

Your message dated Sat, 05 Sep 2015 14:31:07 +0100
with message-id <1441459867.2151.32.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for 8.2
has caused the Debian Bug report #785780,
regarding jessie-pu: package python-keystonemiddleware 1.0.0-3 -> 1.0.0-3+deb8u1 and python-keystoneclient 0.10.1-2 -> 0.10.1-2+deb8u1 (CVE-2015-1852)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
785780: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785780
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

After a discussion with the security team, we agreed that this update
should be done through p-u.

The bug is that in keystoneclient & keystonemiddleware, the option by
default is:

#insecure=false

If you uncomment it, and set it to either true or false, it will always
be interpreted as true (even if it is set to false). This is due to the
code missing options to convert the string into it's boolean value.

The patch is trivial, and can be stripped down to:

-        insecure = conf.get('insecure', False)
+        insecure = strutils.bool_from_string(conf.get('insecure', False))

for both python-keystonemiddleware and python-keystoneclient. The
rest of the debdiff is unecessary noise (like a new unit test to avoid
regressions, adding python-oslo.utils as new (build-)dependency, which
contains the function strutils.bool_from_string() and things of this
kind) that isn't helpful to study the patch, so I am not sending the
debdiff as attachement. If you want the full debdiff, it's available
next to the packages I wish to upload.

Both packages (and their corresponding debdiffs) are available at:
http://sid.gplhost.com/jessie-proposed-updates/

Please allow me to upload both to jessie-proposed-updates.

Cheers,

Thomas Goirand (zigo)

P.S: Am I right with the version numbers? I'm not sure here...

--- End Message ---
--- Begin Message --- 
Version: 8.2

Hi,

These bugs correspond to updates which were included in the 8.2 point
release.

Regards,

Adam

--- End Message ---
Reply to: