Created by Ubuntu Package Importer on 2012-11-28 and last modified on 2013-10-24
Get this branch:
bzr branch lp:ubuntu/quantal-security/keystone
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

41. By Jamie Strandboge on 2013-10-22

* SECURITY UPDATE: revoke user tokens when disabling/delete a project
  - debian/patches/CVE-2013-4222.patch: add _delete_tokens_for_project() to
    common/controller.py and use it in identity/controllers.py
    (LP: #1179955)
  - CVE-2013-4222
* SECURITY UPDATE: fix and test token revocation list API
  - debian/patches/CVE-2013-4294.patch: fix token matching for memcache
    backend token revocation (LP: #1202952)
  - CVE-2013-4294

40. By Jamie Strandboge on 2013-06-13

* SECURITY UPDATE: fix auth_token middleware neglects to check expiry of
  signed token when using PKI
  - debian/patches/CVE-2013-2104.patch: explicitly check the expiry on the
    tokens, and reject tokens that have expired. Also update test data
  - CVE-2013-2104
  - LP: #1179615
* debian/patches/fix-testsuite-for-2038-problem.patch: Adjust json example
  cert data to use 2037 instead of 2112 and regenerate the certs. Also
  adjust token expiry data to use 2037 instead of 2999.
* SECURITY UPDATE: fix authentication bypass when using LDAP backend
  - debian/patches/CVE-2013-2157.patch: identity/backends/ldap/core.py is
    adjusted to raise an assertion for invalid password when using LDAP and
    an empty password is submitted
  - CVE-2013-2157
  - LP: #1187305

39. By Jamie Strandboge on 2013-05-07

* SECURITY UPDATE: delete user token immediately upon delete when using v2
  - CVE-2013-2059.patch: adjust keystone/identity/core.py to call
    token_api.delete_token() during delete. Also update test suite.
  - CVE-2013-2059
  - LP: #1166670

38. By Jamie Strandboge on 2013-03-20

* SECURITY UPDATE: fix PKI revocation bypass
  - debian/patches/CVE-2013-1865.patch: validate tokens from the backend
  - CVE-2013-1865
  - LP: #1129713

37. By Jamie Strandboge on 2013-02-19

* SECURITY UPDATE: fix EC2-style authentication for disabled users
  - debian/patches/CVE-2013-0282.patch: adjust keystone/contrib/ec2/core.py
    to ensure user and tenant are enabled in EC2
  - CVE-2013-0282
  - LP: #1121494
* SECURITY UPDATE: fix denial of service
  - debian/patches/CVE-2013-1664+1665.patch: disable XML entity parsing
  - CVE-2013-1664
  - CVE-2013-1665
  - LP: #1100279
  - LP: #1100282

36. By Jamie Strandboge on 2013-01-31

* SECURITY UPDATE: fix token creation error handling
  - debian/patches/CVE-2013-0247.patch: validate size of user_id, username,
    password, tenant_name, tenant_id and old_token size to help guard
    against a denial of service via large log files filling the disk
  - CVE-2013-0247

35. By Jamie Strandboge on 2012-11-28

* SECURITY UPDATE: fix for EC2-style credentials invalidation
  - debian/patches/CVE-2012-5571.patch: adjust contrib/ec2/core.py to verify
    that the user is in at least one valid role for the tenant
  - CVE-2012-5571
  - LP: #1064914
* debian/patches/fix-ssl-tests-lp1068851.patch: update certificates for
  SSL tests
* SECURITY UPDATE: fix for token expiration
  - debian/patches/CVE-2012-5563.patch: ensure token expiration is
  - CVE-2012-5563
  - LP: #1079216

34. By Chuck Short on 2012-09-27

New upstream release.

33. By Chuck Short on 2012-09-26

New upstream release.

32. By Chuck Short on 2012-09-17

* New upstream version.
* debian/keystone.logrotate: Compress log file when rotated. (LP: #1049309)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.