lp:ubuntu/precise-security/keystone

Created by Ubuntu Package Importer on 2012-09-03 and last modified on 2013-05-16
Get this branch:
bzr branch lp:ubuntu/precise-security/keystone
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

31. By Jamie Strandboge on 2013-05-15

* SECURITY UPDATE: delete user token immediately upon delete when using v2
  API
  - CVE-2013-2059.patch: adjust keystone/identity/core.py to call
    token_api.delete_token() during delete. Also update test suite.
  - CVE-2013-2059
  - LP: #1166670

30. By Jamie Strandboge on 2013-02-19

* SECURITY UPDATE: fix EC2-style authentication for disabled users
  - debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
    to ensure user and tenant are enabled in EC2
  - CVE-2013-0282
  - LP: #1121494
* SECURITY UPDATE: fix denial of service
  - debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
  - CVE-2013-1664
  - CVE-2013-1665
  - LP: #1100279

29. By Jamie Strandboge on 2013-01-31

* SECURITY UPDATE: fix token creation error handling
  - debian/patches/CVE-2013-0247.patch: validate size of user_id, username,
    password, tenant_name, tenant_id and token size to help guard against a
    denial of service via large log files filling the disk
  - CVE-2013-0247

28. By Jamie Strandboge on 2012-11-26

* SECURITY UPDATE: fix for EC2-style credentials invalidation
  - debian/patches/CVE-2012-5571.patch: adjust contrib/ec2/core.py to verify
    that the user is in at least one valid role for the tenant
  - CVE-2012-5571
  - LP: #1064914

27. By Steve Beattie on 2012-09-12

* SECURITY UPDATE: Pre-existing tokens continue to be valid after
  granting or revoking a user's access (LP: #1041396)
  - debian/patches/keystone-CVE-2012-4413.patch: invalidate all user
    tokens upon role grant/revoke
  - CVE-2012-4413

26. By Steve Beattie on 2012-08-30

* SECURITY UPDATE: tenants are able to be added to users without
  authorization (LP: #1040626)
  - debian/patches/keystone-CVE-2012-3542: require authz to update a
    user's tenant.
  - CVE-2012-3542

25. By Chuck Short on 2012-04-05

* New upstream version.
* debian/man/keystone.8: Mention that there is a lack of ssl support.

24. By Chuck Short on 2012-04-04

[Chuck Short]
* New upstream version.
* debian/keystone.install: install tools/{convert_to_sqlite.sh,
  sample_data.sh}

[Adam Gandelman]
* debian/patches/fix-ubuntu-tests.patch: Also skip keystoneclient
  essex 3 tests, add patch description
* debian/keystone.logrotate: Add logrotate config (LP: #962426)

23. By Chuck Short on 2012-03-26

[Chuck Short]
* New usptream version.
* debian/control: Add python-iso8601 as a depends.
* debian/patches/fix-ubuntu-tests.patch: Disable git checkout on some
  of the tests.
* dropped swift as a depends.

[Adam Gandelman]
* debian/patches/sql_connection.patch: Refresh
* debian/logging.conf: Update and enable file logging (LP: #959610)
* debian/keystone.prerm: Only attempt to cleanup database if it was
  configured during installation. (LP: #948719)
* debian/rules: Fix doc builds + clean (LP: #956019)
* debian/control: Add python-{nova, swift} as Build-Depends, required
  for doc building
* debian/rules, debian/tests/test_overrides.conf: Setup a proper environment
  for unit testing

22. By Adam Gandelman on 2012-03-16

New upstream release.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/quantal/keystone
This branch contains Public information 
Everyone can see this information.

Subscribers