OpenStack Identity (keystone)

Merge lp:~james-page/keystone/folsom-resync into lp:~openstack-ubuntu-testing/keystone/folsom

folsom-resync
Merge into folsom

Proposed by James Page on 2013-03-22

Status:	Merged
Approved by:	Chuck Short on 2013-03-22
Approved revision:	162
Merged at revision:	161
Proposed branch:	lp:~james-page/keystone/folsom-resync
Merge into:	lp:~openstack-ubuntu-testing/keystone/folsom
Diff against target:	169 lines (+135/-1) 3 files modified debian/changelog (+27/-1) debian/patches/CVE-2013-1865.patch (+107/-0) debian/patches/series (+1/-0)
To merge this branch:	bzr merge lp:~james-page/keystone/folsom-resync
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Openstack Ubuntu Testers		2013-03-22	Pending
Review via email: mp+154954@code.launchpad.net

Description of the change

Resync of pending SRU with security updates

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

James Page

Openstack Ubuntu Testers

 === modified file 'debian/changelog'
 --- debian/changelog	2013-02-21 00:51:14 +0000
 +++ debian/changelog	2013-03-22 13:42:10 +0000
@@ -1,4 +1,4 @@
--keystone (2012.2.3+stable-20130220-37b35328-0ubuntu1) quantal-proposed; urgency=low
++keystone (2012.2.3+stable-20130220-37b35328-0ubuntu1) UNRELEASED; urgency=low
    * Dropped patches, applied upstream:
      - debian/patches/CVE-2013-0282.patch: [f0b4d30]
@@ -11,6 +11,23 @@
   -- Adam Gandelman <adamg@ubuntu.com>  Wed, 20 Feb 2013 16:32:14 -0400
++keystone (2012.2.3+stable-20130206-82c87e56-0ubuntu2) quantal-proposed; urgency=low
++
++  * Resync with latest security updates.
++  * SECURITY UPDATE: fix PKI revocation bypass
++    - debian/patches/CVE-2013-1865.patch: validate tokens from the backend
++    - CVE-2013-1865
++  * SECURITY UPDATE: fix EC2-style authentication for disabled users
++    - debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
++      to ensure user and tenant are enabled in EC2
++    - CVE-2013-0282
++  * SECURITY UPDATE: fix denial of service
++    - debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
++    - CVE-2013-1664
++    - CVE-2013-1665
++
++ -- James Page <james.page@ubuntu.com>  Fri, 22 Mar 2013 12:02:56 +0000
++
  keystone (2012.2.3+stable-20130206-82c87e56-0ubuntu1) quantal-proposed; urgency=low
    [ Adam Gandelman ]
@@ -31,6 +48,15 @@
   -- Adam Gandelman <adamg@ubuntu.com>  Wed, 06 Feb 2013 11:13:12 -0400
++keystone (2012.2.1-0ubuntu1.3) quantal-security; urgency=low
++
++  * SECURITY UPDATE: fix PKI revocation bypass
++    - debian/patches/CVE-2013-1865.patch: validate tokens from the backend
++    - CVE-2013-1865
++    - LP: #1129713
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 20 Mar 2013 08:45:09 -0500
++
  keystone (2012.2.1-0ubuntu1.2) quantal-security; urgency=low
    * SECURITY UPDATE: fix EC2-style authentication for disabled users
 === added file 'debian/patches/CVE-2013-1865.patch'
 --- debian/patches/CVE-2013-1865.patch	1970-01-01 00:00:00 +0000
 +++ debian/patches/CVE-2013-1865.patch	2013-03-22 13:42:10 +0000
@@ -0,0 +1,107 @@
++From 176f11421236156f4c48bac0c4732c281527d563 Mon Sep 17 00:00:00 2001
++From: Adam Young <ayoung@redhat.com>
++Date: Thu, 14 Mar 2013 12:05:24 -0500
++Subject: [PATCH] validate from backend
++
++In certain cases we were depending on CMS to validate PKI tokens
++but that is not necessary, and by passes the revocation check
++
++Change-Id: I9d7e60b074aa8c8859971618fed20c8cde2220c4
++---
++ keystone/service.py   | 19 ++++++-------------
++ tests/test_service.py | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
++ 2 files changed, 57 insertions(+), 13 deletions(-)
++
++diff --git a/keystone/service.py b/keystone/service.py
++index c088986..9799e3a 100644
++--- a/keystone/service.py
+++++ b/keystone/service.py
++@@ -490,20 +490,13 @@ class TokenController(wsgi.Application):
++         """
++         # TODO(termie): this stuff should probably be moved to middleware
++         self.assert_admin(context)
+++        data = self.token_api.get_token(context=context, token_id=token_id)
+++        if belongs_to:
+++            if (not data.get('tenant') or data['tenant'].get('id') !=
+++                    belongs_to):
+++                raise exception.Unauthorized()
++
++-        if cms.is_ans1_token(token_id):
++-            data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
++-                                             config.CONF.signing.certfile,
++-                                             config.CONF.signing.ca_certs))
++-            data['access']['token']['user'] = data['access']['user']
++-            data['access']['token']['metadata'] = data['access']['metadata']
++-            if belongs_to:
++-                assert data['access']['token']['tenant']['id'] == belongs_to
++-            token_ref = data['access']['token']
++-        else:
++-            token_ref = self.token_api.get_token(context=context,
++-                                                 token_id=token_id)
++-        return token_ref
+++        return data
++
++     # admin only
++     def validate_token_head(self, context, token_id):
++diff --git a/tests/test_service.py b/tests/test_service.py
++index f48bd9a..487e5ac 100644
++--- a/tests/test_service.py
+++++ b/tests/test_service.py
++@@ -150,3 +150,54 @@ class AuthTest(test.TestCase):
++         body_dict = _build_user_auth(username='FOO', password='0' * 8193)
++         self.assertRaises(exception.ValidationSizeError, self.api.authenticate,
++                           {}, body_dict)
+++
+++
+++class AuthWithToken(AuthTest):
+++    def setUp(self):
+++        super(AuthWithToken, self).setUp()
+++
+++    def test_belongs_to_no_tenant(self):
+++        r = self.api.authenticate(
+++            {},
+++            auth={
+++                'passwordCredentials': {
+++                    'username': self.user_foo['name'],
+++                    'password': self.user_foo['password']
+++                }
+++            })
+++        unscoped_token_id = r['access']['token']['id']
+++        self.assertRaises(
+++            exception.Unauthorized,
+++            self.api.validate_token,
+++            dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
+++            token_id=unscoped_token_id)
+++
+++    def test_belongs_to_wrong_tenant(self):
+++        body_dict = _build_user_auth(
+++            username='FOO',
+++            password='foo2',
+++            tenant_name="BAR")
+++
+++        scoped_token = self.api.authenticate({}, body_dict)
+++        scoped_token_id = scoped_token['access']['token']['id']
+++
+++        self.assertRaises(
+++            exception.Unauthorized,
+++            self.api.validate_token,
+++            dict(is_admin=True, query_string={'belongsTo': 'me'}),
+++            token_id=scoped_token_id)
+++
+++    def test_belongs_to(self):
+++        body_dict = _build_user_auth(
+++            username='FOO',
+++            password='foo2',
+++            tenant_name="BAR")
+++
+++        scoped_token = self.api.authenticate({}, body_dict)
+++        scoped_token_id = scoped_token['access']['token']['id']
+++
+++        self.assertRaises(
+++            exception.Unauthorized,
+++            self.api.validate_token,
+++            dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
+++            token_id=scoped_token_id)
++--
++1.8.1.3
++
 === modified file 'debian/patches/series'
 --- debian/patches/series	2012-06-22 16:27:53 +0000
 +++ debian/patches/series	2013-03-22 13:42:10 +0000
@@ -1,2 +1,3 @@
  fix-ubuntu-tests.patch
  sql_connection.patch
++CVE-2013-1865.patch

OpenStack Identity (keystone)

Merge lp:~james-page/keystone/folsom-resync into lp:~openstack-ubuntu-testing/keystone/folsom

Commit message

Description of the change

Preview Diff

Subscribers